From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 8 Sep 2025 12:14:15 +0000 (+0200)
Subject: ws: get a new mask for each new outgoing frame
X-Git-Tag: curl-8_16_0~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=84db7a9eae8468c0445b15aa806fa7fa806fa0f2;p=thirdparty%2Fcurl.git

ws: get a new mask for each new outgoing frame

Reported-by: Calvin Ruocco
Closes #18496
---

diff --git a/lib/ws.c b/lib/ws.c
index e973409b6b..3b65428160 100644
--- a/lib/ws.c
+++ b/lib/ws.c
@@ -875,6 +875,18 @@ static CURLcode ws_enc_add_frame(struct Curl_easy *data,
   enc->payload_remain = enc->payload_len = payload_len;
   ws_enc_info(enc, data, "sending");
 
+  /* 4 bytes random */
+
+  result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
+  if(result)
+    return result;
+
+#ifdef DEBUGBUILD
+  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
+    /* force the bit mask to 0x00000000, effectively disabling masking */
+    memset(&enc->mask, 0, sizeof(enc->mask));
+#endif
+
   /* add 4 bytes mask */
   memcpy(&head[hlen], &enc->mask, 4);
   hlen += 4;
@@ -1335,21 +1347,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
      subprotocol not requested by the client), the client MUST Fail
      the WebSocket Connection. */
 
-  /* 4 bytes random */
-
-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
-                     sizeof(ws->enc.mask));
-  if(result)
-    return result;
-
-#ifdef DEBUGBUILD
-  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
-    /* force the bit mask to 0x00000000, effectively disabling masking */
-    memset(ws->enc.mask, 0, sizeof(ws->enc.mask));
-#endif
-
-  infof(data, "[WS] Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
+  infof(data, "[WS] Received 101, switch to WebSocket");
 
   /* Install our client writer that decodes WS frames payload */
   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,