fix(tcp_transport): off-by-one buffer corruption when WS header buffer full

glmfe · glmfe · commit 23572e043e32 · 2025-06-26T08:05:46.000-03:00
- Fix out of boundaries access
 - Improve test cases to cover this issue
diff --git a/components/tcp_transport/host_test/main/test_websocket_transport.cpp b/components/tcp_transport/host_test/main/test_websocket_transport.cpp
@@ -220,7 +220,6 @@ TEST_CASE("WebSocket Transport Connection", "[success]")
                                       "Sec-WebSocket-Accept:\r\n"
                                       "\r\n";
         REQUIRE(std::string(response_header_buffer.data()) == expected_header);
-
         char buffer[WS_BUFFER_SIZE];
         int read_len = 0;
         int partial_read;
@@ -245,12 +244,18 @@ TEST_CASE("WebSocket Transport Connection", "[success]")
         esp_crypto_base64_encode_ExpectAnyArgsAndReturn(0);
         mock_destroy_ExpectAnyArgsAndReturn(ESP_OK);
 
+        // Create a marker to check that the value after the end of the response header buffer is not overwritten
+        std::string expected_full_header = make_response();
+        char marker = static_cast<char>(~expected_full_header[ws_config.response_headers_len]);
+        response_header_buffer[ws_config.response_headers_len] = marker;
+
         REQUIRE(esp_transport_connect(websocket_transport.get(), host, port, timeout) == 0);
 
         // Verify the response header was stored correctly. it must contain only ten bytes and be null terminated
-        std::string expected_header = "HTTP/1.1 1\0";
+        std::string expected_header = "HTTP/1.1 \0";
 
         REQUIRE(std::string(response_header_buffer.data()) == expected_header);
+        REQUIRE(response_header_buffer[ws_config.response_headers_len] == marker);
     }
 }
 
diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c
@@ -312,13 +312,13 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int
     }
 
     if(ws->response_header) {
-        if(ws->response_header_len < header_len) {
+        if(ws->response_header_len - 1 < header_len) {
             ESP_LOGW(TAG, "Received header length exceedes the allocated buffer size (need=%d, allocated=%d), truncating to allocated size", header_len, ws->response_header_len);
             header_len = ws->response_header_len;
         }
         // Copy response header to the static array
         strncpy(ws->response_header, ws->buffer, header_len);
-        ws->response_header[header_len] = '\0';
+        ws->response_header[ws->response_header_len - 1] = '\0';
     }
 
     char* delim_ptr = strstr(ws->buffer, delimiter);

Original file line number	Diff line number	Diff line change
`@@ -312,13 +312,13 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int`
`312`	`312`	`}`
`313`	`313`
`314`	`314`	`if(ws->response_header) {`
`315`		`- if(ws->response_header_len < header_len) {`
	`315`	`+ if(ws->response_header_len - 1 < header_len) {`
`316`	`316`	`ESP_LOGW(TAG, "Received header length exceedes the allocated buffer size (need=%d, allocated=%d), truncating to allocated size", header_len, ws->response_header_len);`
`317`	`317`	`header_len = ws->response_header_len;`
`318`	`318`	`}`
`319`	`319`	`// Copy response header to the static array`
`320`	`320`	`strncpy(ws->response_header, ws->buffer, header_len);`
`321`		`- ws->response_header[header_len] = '\0';`
	`321`	`+ ws->response_header[ws->response_header_len - 1] = '\0';`
`322`	`322`	`}`
`323`	`323`
`324`	`324`	`char* delim_ptr = strstr(ws->buffer, delimiter);`