Critical Stack Overflow in vendor_ie_data_t usage due to flexible array misuse #155
Description
Environment
- Module or chip used: [e.g. ESP32-S3]
- IDF version: v5.4.2 (or commit hash)
- Operating System: Linux
- File: WiFi_TX.cpp
Problem Description
I encountered a critical crash (Guru Meditation Error: Core 0 panic'ed (Double exception)) when using vendor_ie_data_t with memcpy on the payload[0] flexible array member.
The crash is caused by stack overflow due to writing to payload without allocating sufficient memory. The vendor_ie_data_t structure uses a flexible array (uint8_t payload[0];)
vendor_ie_data_t IE_data;
memcpy(IE_data.payload, src, len); // ❌ Writes beyond stack-allocated struct → stack corruption
### Suggested Fix / Improvement
vendor_ie_data_t must be allocated with
```c
total_size = sizeof(vendor_ie_data_t) + length - header_offset;
vendor_ie_data_t* IE_data = malloc(total_size);
IE_data->element_id = WIFI_VENDOR_IE_ELEMENT_ID;
IE_data->vendor_oui[0] = 0xFA;
IE_data->vendor_oui[1] = 0x0B;
IE_data->vendor_oui[2] = 0xBC;
IE_data->vendor_oui_type = 0x0D;
memcpy(IE_data->payload, &buffer[header_offset], length - header_offset);
if (esp_wifi_set_vendor_ie(false, WIFI_VND_IE_TYPE_BEACON, WIFI_VND_IE_ID_0, IE_data) != ESP_OK)
....
free(IE_data);