fix(ws_transport): Fix crash when reading (IDFGH-13657)

[Sean-Der]

Description

When parsing WS framing protocol integer promotion would cause invalid values to be read. Acting upon these values would eventually cause a crash

Related

Fixes espressif/esp-protocols#645

Testing

If you send a message longer then 128 to the websocket echo service the response will cause a crash. This can easily be reproduced with the esp-protocols websocket example.

diff --git a/components/esp_websocket_client/examples/linux/main/websocket_linux.c b/components/esp_websocket_client/examples/linux/main/websocket_linux.c
index 3329274..a8f0ba3 100644
--- a/components/esp_websocket_client/examples/linux/main/websocket_linux.c
+++ b/components/esp_websocket_client/examples/linux/main/websocket_linux.c
@@ -84,11 +84,11 @@ static void websocket_app_start(void)
     esp_websocket_register_events(client, WEBSOCKET_EVENT_ANY, websocket_event_handler, (void *)client);

     esp_websocket_client_start(client);
-    char data[32];
+    char data[256];
     int i = 0;
     while (i < 1) {
         if (esp_websocket_client_is_connected(client)) {
-            int len = sprintf(data, "hello %04d", i++);
+            int len = sprintf(data, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
             ESP_LOGI(TAG, "Sending %s", data);
             esp_websocket_client_send_text(client, data, len, portMAX_DELAY);
         }

Results in the following output

I (739925786) websocket: [APP] Startup..
I (739925786) websocket: [APP] Free memory: 4294967295 bytes
I (739925786) websocket: [APP] IDF version: v5.4-dev-1388-g5ca9f2a49a-dirty
I (739925790) websocket: Connecting to ws://echo.websocket.events...
W (739925790) websocket_client: `reconnect_timeout_ms` is not set, or it is less than or equal to zero, using default time out 10000 (milliseconds)
W (739925790) websocket_client: `network_timeout_ms` is not set, or it is less than or equal to zero, using default time out 10000 (milliseconds)
I (739925790) websocket: WEBSOCKET_EVENT_BEGIN
I (739925791) websocket_client: Started
I (739925912) websocket: WEBSOCKET_EVENT_CONNECTED
I (739926792) websocket: Sending ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ 0000
I (739926914) websocket: WEBSOCKET_EVENT_DATA
I (739926914) websocket: Received opcode=1
W (739926914) websocket: Received=echo.websocket.events sponsored by Lob.com
W (739926914) websocket: Total payload length=42, data_len=42, current payload offset=0

Segmentation fault (core dumped)

---

Checklist

Before submitting a Pull Request, please ensure the following:

• 🚨 This PR does not introduce breaking changes.
• All CI checks (GH Actions) pass.
• Documentation is updated as needed.
• Tests are updated or added as necessary.
• Code is well-commented, especially in complex areas.
• Git history is clean — commits are squashed to the minimum necessary.

[CLAassistant]

All committers have signed the CLA.

[github-actions]

	Messages
📖	🎉 Good Job! All checks are passing!

👋 Hello Sean-Der, we appreciate your contribution to this project!

---

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

---

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests via this public GitHub repository.

This GitHub project is public mirror of our internal git repository

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved, we synchronize it into our internal git repository.
4. In the internal git repository we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
5. If the change is approved and passes the tests it is merged into the default branch.
5. On next sync from the internal git repository merged change will appear in this public GitHub repository.

Generated by 🚫 dangerJS against 58775cc

[Sean-Der]

@david-cermak FYI

@suren-gabrielyan-espressif I see lots of your commits re: Linux support. This would be really helpful for Linux users (how I find it myself)

[david-cermak]

LGTM, thanks for the fixes!

Although it seems easier to declare data_ptr as uint8_t, there might be other conversion issues as the default transport buffer is just char. That's why I think this fix is probably the best option for now.

(maybe we can build linux target with -funsigned-char)