From 22d8a3c9d25c4a4ddc0004d835b2ea546f60bcf6 Mon Sep 17 00:00:00 2001 From: Johan Stokking Date: Sun, 14 Jul 2024 14:05:50 +0200 Subject: [PATCH] fix(tcp_transport): fix buffer overflow in ws connect --- components/tcp_transport/transport_ws.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c index f7434aa02f..06a5c13f8f 100644 --- a/components/tcp_transport/transport_ws.c +++ b/components/tcp_transport/transport_ws.c @@ -285,7 +285,7 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int } int header_len = 0; do { - if ((len = esp_transport_read(ws->parent, ws->buffer + header_len, WS_BUFFER_SIZE - header_len, timeout_ms)) <= 0) { + if ((len = esp_transport_read(ws->parent, ws->buffer + header_len, WS_BUFFER_SIZE - header_len - 1, timeout_ms)) <= 0) { ESP_LOGE(TAG, "Error read response for Upgrade header %s", ws->buffer); return -1; } @@ -293,7 +293,7 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int ws->buffer_len = header_len; ws->buffer[header_len] = '\0'; // We will mark the end of the header to ensure that strstr operations for parsing the headers don't fail. ESP_LOGD(TAG, "Read header chunk %d, current header size: %d", len, header_len); - } while (NULL == strstr(ws->buffer, delimiter) && header_len < WS_BUFFER_SIZE); + } while (NULL == strstr(ws->buffer, delimiter) && header_len < WS_BUFFER_SIZE - 1); char* delim_ptr = strstr(ws->buffer, delimiter);