From 0957626e260ead507ab77877c6f32c54e23d6227 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Fri, 22 Nov 2024 14:14:53 +0100 Subject: [PATCH] fix(tcp_transport): Fix websocket header read to handle overflow --- components/tcp_transport/transport_ws.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c index 6367b0d315..c7bf29b9a4 100644 --- a/components/tcp_transport/transport_ws.c +++ b/components/tcp_transport/transport_ws.c @@ -293,7 +293,12 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int ws->buffer_len = header_len; ws->buffer[header_len] = '\0'; // We will mark the end of the header to ensure that strstr operations for parsing the headers don't fail. ESP_LOGD(TAG, "Read header chunk %d, current header size: %d", len, header_len); - } while (NULL == strstr(ws->buffer, delimiter) && header_len < WS_BUFFER_SIZE); + } while (NULL == strstr(ws->buffer, delimiter) && header_len < WS_BUFFER_SIZE - 1); + + if (header_len >= WS_BUFFER_SIZE - 1) { + ESP_LOGE(TAG, "Header size exceeded buffer size"); + return -1; + } char* delim_ptr = strstr(ws->buffer, delimiter);