Stack/Heap Issues

[omaidf]

Issue 1: StackOverflow

Affected File: WebSocketsClient.cpp, handleClientData(), WSC_BODY case

Description: When parsing HTTP body data during Socket.IO connection setup, a 256-byte stack buffer is zero-initialized and up to 256 bytes are read into it. The buffer is then passed to the String constructor which internally calls strlen().

Vulnerability: If exactly 256 non-null bytes are received, strlen() reads past the buffer boundary searching for a null terminator, causing a stack buffer overread.

case WSC_BODY: {
    char buf[256] = { 0 };
    _client.tcp->readBytes(&buf[0], std::min((size_t)len, sizeof(buf)));
    String bodyLine = buf;  // strlen() overreads if all 256 bytes are non-null

Tested and confirmed with ASAN output

==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffffeed2c090
READ of size 263 at 0xffffeed2c090 thread T0
    #0 __interceptor_strlen
    #1 String::String(char const*) /test/vuln_poc.cpp:52
    #2 vulnerable_pattern_1(TCPClient&, int) /test/vuln_poc.cpp:207
[64, 320) 'buf' (line 205) <== Memory access at offset 320 overflows this variable

Issue 2: Unbounded Heap Allocation

Affected Files: WebSocketsClient.cpp, handleClientData(), WSC_HEADER case

Description: During HTTP header parsing, readStringUntil('\n') reads data until a newline character with no maximum length limit. A malicious peer can send a continuous stream of data without newlines, causing unbounded heap allocation until memory is exhausted.

Vulnerable Code:

WebSocketsClient.cppString headerLine = _client.tcp->readStringUntil('\n'); // No length limit

Impact: Denial of Service via memory exhaustion, especially on ESP32 platforms with limited memory

Further POC files can be given if needed. Added suggested code patches here:
https://github.com/omaidf/arduinoWebSockets/tree/socketfix