From 10a2c2ccc90fe34d07f8938ccb1c2fb1fd2aa287 Mon Sep 17 00:00:00 2001
From: Richard Allen <richard@bryghtlabs.com>
Date: Mon, 22 Apr 2024 08:34:44 -0500
Subject: [PATCH] fix(ws_transport): fixed `server-key` corruption

When first fragment is sent over HTTP during websocket
connection, defer buffering of fragment until after the
websocket server-key is validated.

This order is required because the first fragment buffering
overwrites the memory holding the server-key headers.

Fixes 2267d4b
Fixes https://github.com/espressif/esp-protocols/issues/396
PR https://github.com/espressif/esp-idf/pull/13724
---
 components/tcp_transport/transport_ws.c | 30 +++++++++++++------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c
index 75cea861041..aaf0ce42c15 100644
--- a/components/tcp_transport/transport_ws.c
+++ b/components/tcp_transport/transport_ws.c
@@ -307,20 +307,6 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int
         return -1;
     }
 
-    if (delim_ptr != NULL) {
-        size_t delim_pos = delim_ptr - ws->buffer + sizeof(delimiter) - 1;
-        size_t remaining_len = ws->buffer_len - delim_pos;
-        if (remaining_len > 0) {
-            memmove(ws->buffer, ws->buffer + delim_pos, remaining_len);
-            ws->buffer_len = remaining_len;
-        } else {
-#ifdef CONFIG_WS_DYNAMIC_BUFFER
-            free(ws->buffer);
-            ws->buffer = NULL;
-#endif
-            ws->buffer_len = 0;
-        }
-    }
     // See esp_crypto_sha1() arg size
     unsigned char expected_server_sha1[20];
     // Size of base64 coded string see above
@@ -340,6 +326,22 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int
         ESP_LOGE(TAG, "Invalid websocket key");
         return -1;
     }
+
+    if (delim_ptr != NULL) {
+        size_t delim_pos = delim_ptr - ws->buffer + sizeof(delimiter) - 1;
+        size_t remaining_len = ws->buffer_len - delim_pos;
+        if (remaining_len > 0) {
+            memmove(ws->buffer, ws->buffer + delim_pos, remaining_len);
+            ws->buffer_len = remaining_len;
+        } else {
+#ifdef CONFIG_WS_DYNAMIC_BUFFER
+            free(ws->buffer);
+            ws->buffer = NULL;
+#endif
+            ws->buffer_len = 0;
+        }
+    }
+
     return 0;
 }