WEBSOCKET Double free in esp_websocket_client during error/teardown race (IDFGH-16555)

[filzek]

Answers checklist.

• I have read the documentation for esp-protocols components and the issue is not addressed there.
• I have updated my esp-protocols branch (master or release) to the latest version and checked that the issue is present there.
• I have searched the issue tracker for a similar issue and not found a similar issue.

What component are you using? If you choose Other, provide details in More Information.

esp_websocket_client

component version

1.5.0

IDF version.

v5.4.1-18-g6f30fb434d

More Information.

Hi @glmfe, the websocket double free/tls exception still happening frequently.

Description
When a WebSocket connection aborts unexpectedly, the client sometimes crashes with a TLSF assertion failure indicating a double free. This appears to happen because both the error path and the send/abort path attempt to close and free the same TLS transport, leading to heap corruption.

Observed Behavior

Connection is aborted (errno=113, mbedtls read error :-0x004C).

WEBSOCKET_EVENT_ERROR is fired.

Application code attempts to send or abort, which calls into esp_websocket_client_abort_connection().

The transport is closed twice (esp_transport_close appears twice in the backtrace).

TLS tries to free already-freed memory → assert failed: tlsf_free ... "block already marked as free".

Device reboots with heap corruption.

Backtrace (excerpt)

assert failed: tlsf_free tlsf.c:629 (!block_is_free(block) && "block already marked as free")
esp_tls_conn_destroy -> base_close -> esp_transport_close
ws_close -> esp_transport_close
esp_websocket_client_abort_connection
esp_websocket_client_send_text
EWC_process_queue_tosend
...

Expected Behavior

The WebSocket client should handle error/teardown idempotently.

A single close/free of the TLS transport should occur, even if application code calls abort/stop concurrently with internal error handling.

No heap corruption or double free should be possible.

Steps to Reproduce

Establish a TLS WebSocket connection.

Force the server to close the connection abruptly (RST).

Allow the client task to attempt a send just after the error event is triggered.

Observe crash with TLSF double free assertion.

Environment

ESP-IDF: special build (14.2_20240403 toolchain)

Component: esp_websocket_client + esp-tls + tcp_transport

Target: ESP32 (WROVER module)

Impact
This results in device resets in production when WebSocket connections drop under load or unstable networks.

Possible Root Cause
esp_websocket_client_abort_connection() can trigger esp_transport_close() on a transport that has already been closed by the error path. Without internal idempotency checks, the TLS handle is freed twice, leading to heap metadata corruption.

Suggested Fixes

Make esp_websocket_client_abort_connection() idempotent with an internal “closing” flag.

Ensure ws_close() nullifies the transport pointer before returning.

Optionally enforce a mutex inside esp_websocket_client to serialize close/send/abort.

Additional Notes
App-level guards help, but the library itself should guarantee that teardown paths are safe to call once or multiple times.

REPORT BUG:
2025-09-30 18:44:10 RECEIVED [4145156]
2025-09-30 18:44:10 E (18:44:11.958) transport_base: poll_write select error 113, errno = Software caused connection abort, fd = 31
2025-09-30 18:44:10 E (18:44:11.968) esp-tls-mbedtls: read error :-0x004C
2025-09-30 18:44:10 E (18:44:11.971) transport_ws: Error transport_poll_write
2025-09-30 18:44:10 E (18:44:11.975) transport_base: esp_tls_conn_read error, errno=Software caused connection abort
2025-09-30 18:44:10 E (18:44:12.001) transport_ws: Error read data
2025-09-30 18:44:10 _write() returned -1, transport_error=ESP_OK, tls_error_code=0, tls_flags=0, errno=0
2025-09-30 18:44:10 E (18:44:12.001) transport_ws: Error read data
2025-09-30 18:44:10 WebSocket Event: WEBSOCKET_EVENT_ERROR (0)
2025-09-30 18:44:10 E (18:44:12.030) websocket_client: esp_transport_read() failed with -76, transport_error=ESP_OK, tls_error_code=76, tls_flags=0, errno=113
2025-09-30 18:44:10 WebSocket error
2025-09-30 18:44:10 WebSocket Event: WEBSOCKET_EVENT_ERROR (0)
2025-09-30 18:44:10 WebSocket error
2025-09-30 18:44:10 E (18:44:12.087) websocket_client: Error receive data
2025-09-30 18:44:10
2025-09-30 18:44:10 assert failed: tlsf_free tlsf.c:629 (!block_is_free(block) && "block already marked as free")
HINT: CORRUPT HEAP: heap metadata corrupted resulting in TLSF malfunction.
Make sure you are not making out of bound writing on the memory you allocate in your application.
Make sure you are not writing on freed memory.
For more information run 'idf.py docs -sp api-reference/system/heap_debug.html'.
2025-09-30 18:44:10
2025-09-30 18:44:10
2025-09-30 18:44:11 Backtrace: 0x40081e24:0x3ffd6a60 0x40096171:0x3ffd6a80 0x4009902d:0x3ffd6aa0 0x400d96f7:0x3ffd6bd0 0x400d8852:0x3ffd6bf0 0x400da157:0x3ffd6c10 0x40099065:0x3ffd6c30 0x4017ced1:0x3ffd6c50 0x4017cc52:0x3ffd6c70 0x4017eba8:0x3ffd6c90 0x401fec9d:0x3ffd6cb0 0x4017f621:0x3ffd6cd0 0x401fec9d:0x3ffd6cf0 0x4012f3e4:0x3ffd6d10 0x401308bf:0x3ffd6d40 0x401308e1:0x3ffd6d80 0x40110eeb:0x3ffd6da0 0x40110f6b:0x3ffd6de0 0x400e650b:0x3ffd6e00 0x4011066f:0x3ffd6e20 0x401109b9:0x3ffd6e70 0x400f5038:0x3ffd6e90 0x401036e4:0x3ffd76f0 0x4009662a:0x3ffd7810
2025-09-30 18:44:11 --- 0x40081e24: panic_abort at C:/Espressif/frameworks/esp-idf-special/components/esp_system/panic.c:454
--- 0x40096171:
2025-09-30 18:44:11
2025-09-30 18:44:11
2025-09-30 18:44:11
2025-09-30 18:44:11 ELF file SHA256: 81bacc41e
esp_system_abort at C:/Espressif/frameworks/esp-idf-special/components/esp_system/port/esp_system_chip.c:87
--- 0x4009902d: __assert_func at C:/Espressif/frameworks/esp-idf-special/components/newlib/assert.c:80
--- 0x400d96f7: block_next at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:161
--- (inlined by) block_link_next at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:168
--- (inlined by) block_mark_as_free at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:176
--- (inlined by) tlsf_free at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf.c:630
--- 0x400d8852: multi_heap_free_impl at C:/Espressif/frameworks/esp-idf-special/components/heap/multi_heap.c:233
--- (inlined by) multi_heap_free_impl at C:/Espressif/frameworks/esp-idf-special/components/heap/multi_heap.c:222
--- 0x400da157: heap_caps_free at C:/Espressif/frameworks/esp-idf-special/components/heap/heap_caps_base.c:75
--- 0x40099065: free at C:/Espressif/frameworks/esp-idf-special/components/newlib/heap.c:39
--- 0x4017ced1: esp_tls_internal_event_tracker_destroy at C:/Espressif/frameworks/esp-idf-special/components/esp-tls/esp_tls_error_capture.c:50
--- 0x4017cc52: esp_tls_conn_destroy at C:/Espressif/frameworks/esp-idf-special/components/esp-tls/esp_tls.c:160
--- 0x4017eba8: base_close at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport_ssl.c:335
--- 0x401fec9d: esp_transport_close at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport.c:172
--- 0x4017f621: ws_close at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport_ws.c:680
--- 0x401fec9d: esp_transport_close at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport.c:172
--- 0x4012f3e4: esp_websocket_client_abort_connection at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:240
--- 0x401308bf: esp_websocket_client_send_with_exact_opcode at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:662
--- 0x401308e1: esp_websocket_client_send_with_opcode at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:1352
--- (inlined by) esp_websocket_client_send_text at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:1322
--- 0x40110eeb: EWC_process_queue_tosend at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1121
--- 0x40110f6b: EWC_request_flush at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1244
--- 0x400e650b: WISEON_request_flush at D:/Dropbox/Dev/wisehome_project/main/include/websocket_lib.c:1782
--- 0x4011066f: EWC_enqueue_item_reply at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:454
--- (inlined by) EWC_enqueue_item_reply at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:369
--- 0x401109b9: WISEON_enqueue_item_reply at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1260
--- 0x400f5038: executar at D:/Dropbox/Dev/wisehome_project/main/include/exec_utils.c:6815
--- 0x401036e4: taskExecCMD at D:/Dropbox/Dev/wisehome_project/main/tasks/taskSentinela.c:4018
--- 0x4009662a: vPortTaskWrapper at C:/Espressif/frameworks/esp-idf-special/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:139
2025-09-30 18:44:11
2025-09-30 18:44:11 Entering gdb stub now.
2025-09-30 18:44:11 $T04#b8GNU gdb (esp-gdb) 14.2_20240403
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.

[gabsuren]

Hi @filzek,
Thank you for reporting this heap corruption issue. I'm currently investigating the problem and trying to reproduce it in our test environment.
To help me reproduce, could you please provide thesdkconfig file also?
Specifically, I'm interested in:
CONFIG_ESP_WS_CLIENT_ENABLE_DYNAMIC_BUFFER - Is this set to y?
Any other WebSocket-related configurations you might have customized?

What specific operations trigger the heap corruption? (e.g., rapid connect/disconnect, large message transfers, etc.)
Are you using multiple WebSocket connections simultaneously?

[filzek]

@gabsuren the problem is double close happening in the websocket layer.

we are using the raw websocket client file without any changes, also we have teste all patches send by ginle and david as well, attached are the websocket file.

here is a full log that we are able to capture yesterday with the double free on close by the websocket layer.

E (00:48:26.486) transport_ws: Error transport_poll_write
E (00:48:26.487) websocket_client: esp_transport_write() returned 0, transport_error=ESP_OK, tls_error_code=0, tls_flags=0, errno=0
E (00:48:26.506) esp-tls-mbedtls: read error :-0x7100
E (00:48:26.508) transport_base: esp_tls_conn_read error, errno=Connection already in progress
E (00:48:26.524) transport_ws: Error read data
E (00:48:26.533) websocket_client: esp_transport_read() failed with -28928, transport_error=ESP_OK, tls_error_code=28928, tls_flags=0, errno=119
E (00:48:26.559) websocket_client: Error receive data
I (00:48:26.569) websocket_client: Reconnect after 2000 ms

assert failed: tlsf_free tlsf.c:629 (!block_is_free(block) && "block already marked as free")
HINT: CORRUPT HEAP: heap metadata corrupted resulting in TLSF malfunction.
Make sure you are not making out of bound writing on the memory you allocate in your application.
Make sure you are not writing on freed memory.
For more information run 'idf.py docs -sp api-reference/system/heap_debug.html'.

Backtrace: 0x40081e24:0x3ffd9250 0x40096171:0x3ffd9270 0x4009902d:0x3ffd9290 0x400d97a3:0x3ffd93c0 0x400d88fe:0x3ffd93e0 0x400da203:0x3ffd9400 0x40099065:0x3ffd9420 0x4017d61d:0x3ffd9440 0x4017d39e:0x3ffd9460 0x4017f2f4:0x3ffd9480 0x401ff401:0x3ffd94a0 0x4017fd6d:0x3ffd94c0 0x401ff401:0x3ffd94e0 0x4012f9df:0x3ffd9500 0x40130fdf:0x3ffd9530 0x40131001:0x3ffd9570 0x40110f9b:0x3ffd9590 0x4011101b:0x3ffd95d0 0x400e650f:0x3ffd95f0 0x4011071f:0x3ffd9610 0x40110a69:0x3ffd9660 0x400f4648:0x3ffd9680 0x400f9c26:0x3ffd9ee0 0x4010209d:0x3ffd9f00 0x4009662a:0x3ffda970
--- 0x40081e24: panic_abort at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/esp_system/panic.c:454
--- 0x40096171: esp_system_abort at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/esp_system/port/esp_system_chip.c:87
--- 0x4009902d: __assert_func at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/newlib/assert.c:80
--- 0x400d97a3: block_next at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:161
--- (inlined by) block_link_next at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:168
--- (inlined by) block_mark_as_free at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:176
--- (inlined by) tlsf_free at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf.c:630
--- 0x400d88fe: multi_heap_free_impl at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/heap/multi_heap.c:233
--- (inlined by) multi_heap_free_impl at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/heap/multi_heap.c:222
--- 0x400da203: heap_caps_free at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/heap/heap_caps_base.c:75
--- 0x40099065: free at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/newlib/heap.c:39
--- 0x4017d61d: esp_tls_internal_event_tracker_destroy at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/esp-tls/esp_tls_error_capture.c:50
--- 0x4017d39e: esp_tls_conn_destroy at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/esp-tls/esp_tls.c:160
--- 0x4017f2f4: base_close at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport_ssl.c:335
--- 0x401ff401: esp_transport_close at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport.c:172
--- 0x4017fd6d: ws_close at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport_ws.c:680
--- 0x401ff401: esp_transport_close at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport.c:172
--- 0x4012f9df: esp_websocket_client_abort_connection at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:254
--- 0x40130fdf: esp_websocket_client_send_with_exact_opcode at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:677
--- 0x40131001: esp_websocket_client_send_with_opcode at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:1446
--- (inlined by) esp_websocket_client_send_text at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:1416
--- 0x40110f9b: EWC_process_queue_tosend at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1121
--- 0x4011101b: EWC_request_flush at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1244
--- 0x400e650f: WISEON_request_flush at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/include/websocket_lib.c:1782
--- 0x4011071f: EWC_enqueue_item_reply at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:454
--- (inlined by) EWC_enqueue_item_reply at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:369
--- 0x40110a69: WISEON_enqueue_item_reply at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1260
--- 0x400f4648: executar at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/include/exec_utils.c:6235
--- 0x400f9c26: get_port_status at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/include/exec_utils.c:11081
--- 0x4010209d: taskSentinela at D:\Dropbox\Dev\wisehome_project\build/D:/Dropbox/Dev/wisehome_project/main/tasks/taskSentinela.c:3674
--- 0x4009662a: vPortTaskWrapper at D:\Dropbox\Dev\wisehome_project\build/C:/Espressif/frameworks/esp-idf-special/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:139

(gdb) bt
#0 panic_abort (details=0x3ffd92d4 "assert failed: tlsf_free tlsf.c:629 (!block_is_free(block) && "block already marked as free")")
HINT: CORRUPT HEAP: heap metadata corrupted resulting in TLSF malfunction.
Make sure you are not making out of bound writing on the memory you allocate in your application.
Make sure you are not writing on freed memory.
For more information run 'idf.py docs -sp api-reference/system/heap_debug.html'.
at C:/Espressif/frameworks/esp-idf-special/components/esp_system/panic.c:466
#1 0x40096174 in esp_system_abort (
details=0x3ffd92d4 "assert failed: tlsf_free tlsf.c:629 (!block_is_free(block) && "block already marked as free")")
HINT: CORRUPT HEAP: heap metadata corrupted resulting in TLSF malfunction.
Make sure you are not making out of bound writing on the memory you allocate in your application.
Make sure you are not writing on freed memory.
For more information run 'idf.py docs -sp api-reference/system/heap_debug.html'.
at C:/Espressif/frameworks/esp-idf-special/components/esp_system/port/esp_system_chip.c:87
#2 0x40099030 in __assert_func (file=, line=, func=, expr=)
at C:/Espressif/frameworks/esp-idf-special/components/newlib/assert.c:80
#3 0x400d97a6 in block_next (block=)
at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:161
#4 block_link_next (block=) at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:168
#5 block_mark_as_free (block=) at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf_block_functions.h:176
#6 tlsf_free (tlsf=0x3ffe0454, ptr=) at C:/Espressif/frameworks/esp-idf-special/components/heap/tlsf/tlsf.c:630
#7 0x400d8901 in multi_heap_free_impl (heap=0x3ffe0440, p=0x3ffe3e20)
at C:/Espressif/frameworks/esp-idf-special/components/heap/multi_heap.c:233
#8 multi_heap_free_impl (heap=0x3ffe0440, p=0x3ffe3e20) at C:/Espressif/frameworks/esp-idf-special/components/heap/multi_heap.c:222
#9 0x400da206 in heap_caps_free (ptr=) at C:/Espressif/frameworks/esp-idf-special/components/heap/heap_caps_base.c:75
#10 0x40099068 in free (ptr=0x3ffe3e20) at C:/Espressif/frameworks/esp-idf-special/components/newlib/heap.c:39
#11 0x4017d620 in esp_tls_internal_event_tracker_destroy (h=0x3ffe3e20)
at C:/Espressif/frameworks/esp-idf-special/components/esp-tls/esp_tls_error_capture.c:50
#12 0x4017d3a1 in esp_tls_conn_destroy (tls=0x3fff65b8) at C:/Espressif/frameworks/esp-idf-special/components/esp-tls/esp_tls.c:160
#13 0x4017f2f7 in base_close (t=) at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport_ssl.c:335
#14 0x401ff404 in esp_transport_close (t=)
at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport.c:172
#15 0x4017fd70 in ws_close (t=0x3fff3798) at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport_ws.c:680
#16 0x401ff404 in esp_transport_close (t=)
at C:/Espressif/frameworks/esp-idf-special/components/tcp_transport/transport.c:172
#17 0x4012f9e2 in esp_websocket_client_abort_connection (client=0x3fff330c, error_type=WEBSOCKET_ERROR_TYPE_TCP_TRANSPORT)
at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:254
#18 0x40130fe2 in esp_websocket_client_send_with_exact_opcode (client=0x3fff330c, opcode=,
data=0x3f89b2ac "{"act":"302","interact":"THV1TTZub0daVHhyQ0JIcQ==","guid":"ada9741b-59df-43fc-882f-1244675f033c","data":"z9Ni0E1RssohnI2H35l3zcoJqclFIcvRKp+SayU5XBYu8s9Pc+pFo0DkdeJRwn7PGQ9WEasNVbyCxkZb1DwPmi+TCGnrPaf"..., len=,
timeout=)
at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:677
#19 0x40131004 in esp_websocket_client_send_with_opcode (client=0x3fff330c, opcode=WS_TRANSPORT_OPCODES_TEXT,
data=0x3f89b2ac "{"act":"302","interact":"THV1TTZub0daVHhyQ0JIcQ==","guid":"ada9741b-59df-43fc-882f-1244675f033c","data":"z9Ni0E1RssohnI2H35l3zcoJqclFIcvRKp+SayU5XBYu8s9Pc+pFo0DkdeJRwn7PGQ9WEasNVbyCxkZb1DwPmi+TCGnrPaf"..., len=1062, timeout=3000)
at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:1446
#20 esp_websocket_client_send_text (client=0x3fff330c,
data=0x3f89b2ac "{"act":"302","interact":"THV1TTZub0daVHhyQ0JIcQ==","guid":"ada9741b-59df-43fc-882f-1244675f033c","data":"z9Ni0E1RssohnI2H35l3zcoJqclFIcvRKp+SayU5XBYu8s9Pc+pFo0DkdeJRwn7PGQ9WEasNVbyCxkZb1DwPmi+TCGnrPaf"..., len=1062, timeout=3000)
at D:/Dropbox/Dev/wisehome_project/managed_components/espressif__esp_websocket_client/esp_websocket_client.c:1416
#21 0x40110f9e in EWC_process_queue_tosend () at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1121
#22 0x4011101e in EWC_request_flush () at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1244
#23 0x400e6512 in WISEON_request_flush () at D:/Dropbox/Dev/wisehome_project/main/include/websocket_lib.c:1782
#24 0x40110722 in EWC_enqueue_item_reply (data=, data_size=)
at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:454
#25 EWC_enqueue_item_reply (data=, data_size=)
at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:369
#26 0x40110a6c in WISEON_enqueue_item_reply (
data=0x3f8a23a8 "{"act":"302","interact":"THV1TTZub0daVHhyQ0JIcQ==","guid":"ada9741b-59df-43fc-882f-1244675f033c","data":"z9Ni0E1RssohnI2H35l3zcoJqclFIcvRKp+SayU5XBYu8s9Pc+pFo0DkdeJRwn7PGQ9WEasNVbyCxkZb1DwPmi+TCGnrPaf"..., data_size=1062)
at D:/Dropbox/Dev/wisehome_project/main/tasks/websocket/taskWebsocket.c:1260
#27 0x400f464b in executar (sCommand=, sPort=, sData=)
at D:/Dropbox/Dev/wisehome_project/main/include/exec_utils.c:6235
#28 0x400f9c29 in get_port_status () at D:/Dropbox/Dev/wisehome_project/main/include/exec_utils.c:11081
#29 0x401020a0 in taskSentinela (arg=) at D:/Dropbox/Dev/wisehome_project/main/tasks/taskSentinela.c:3674
#30 0x4009662d in vPortTaskWrapper (pxCode=0x400ffb2c , pvParameters=0x0)
at C:/Espressif/frameworks/esp-idf-special/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:139

So, what we can see is that the websocket doent have any guard bit that tells that its closing or doing a close, so, the tls and the websocket does concurs in the deal to close and free the same item, so, need to fix it.

[filzek]

Hi @filzek, Thank you for reporting this heap corruption issue. I'm currently investigating the problem and trying to reproduce it in our test environment. To help me reproduce, could you please provide thesdkconfig file also? Specifically, I'm interested in: CONFIG_ESP_WS_CLIENT_ENABLE_DYNAMIC_BUFFER - Is this set to y? Any other WebSocket-related configurations you might have customized?

What specific operations trigger the heap corruption? (e.g., rapid connect/disconnect, large message transfers, etc.) Are you using multiple WebSocket connections simultaneously?

ESP WebSocket client

CONFIG_ESP_WS_CLIENT_ENABLE_DYNAMIC_BUFFER is not set

CONFIG_ESP_WS_CLIENT_SEPARATE_TX_LOCK=y
CONFIG_ESP_WS_CLIENT_TX_LOCK_TIMEOUT_MS=2000

end of ESP WebSocket client

the original file from the repository produces the error, sometimes in a busy noise environment, sometimes after a router restart, sometimes just running.

we also have applied all pending patches from david cemak and ginle and the results is the same with same double free crash.

[filzek]

@gabsuren using the
https://github.com/david-cermak/esp-protocols/commits/fix/ws_timeout_error_fix/
has the same results in double free / errors

[gabsuren]

@filzek thank you for the detailed information. I successfully reproduced the crash with CONFIG_ESP_WS_CLIENT_SEPARATE_TX_LOCK=y. The issue occurs because:

1. Send error path holds tx_lock and calls abort_connection()
2. Receive error path holds client->lock and calls abort_connection()
3. Both paths race to call esp_transport_close() on the same transport
4. This causes either double-free or use-after-free in the SSL/TLS layer

Fixes applied in esp-protocols:
0149cbe

Note: A complementary fix in esp-idf transport layer (adding idempotency to esp_transport_close()) would provide additional defense-in-depth protection. I will add it later.

Please check if the solution works for you, and we will procceed forward.
Regards,
Suren

[gabsuren]

Hi @filzek,

Just checking in to see if you had a chance to test the fix for the crash with CONFIG_ESP_WS_CLIENT_SEPARATE_TX_LOCK=y
Please let me know if it resolves the issue on your side so we can proceed with the next steps.

Best regards,
Suren

[filzek]

I have used the @david-cermak version with all patches and doesnt return the double free tls but now creates the memory leak internal in the tls, so, doenst work, to test it just turn the wifi off and on and will produce the error.

I will start to test your @gabsuren file today.

[filzek]

@gabsuren we have created a trace and find leak, error and crash in the websocket layer so we can test it with complete fallout scenarios such as:

WiFi Level
wifi on
wifi drop
wifi error
wifi full crowd
wifi off

Websocket server level
websocket on
websocket drop
websocket layer drop
websocket timeout
websocket off