From 84295180cdf156bdb2703d8b09ac8ab0de52813c Mon Sep 17 00:00:00 2001
From: Peter Johnson <johnson.peter@gmail.com>
Date: Fri, 10 Apr 2026 13:32:55 -0700
Subject: [PATCH] [wpinet] WebSocket: Mutex-protect static random device/engine
 (#8741)

---
 wpinet/src/main/native/cpp/WebSocket.cpp           |  9 +++++++--
 wpinet/src/main/native/cpp/WebSocketSerializer.cpp | 10 ++++++++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/wpinet/src/main/native/cpp/WebSocket.cpp b/wpinet/src/main/native/cpp/WebSocket.cpp
index a233197eb7..177bdba98a 100644
--- a/wpinet/src/main/native/cpp/WebSocket.cpp
+++ b/wpinet/src/main/native/cpp/WebSocket.cpp
@@ -21,6 +21,7 @@
 #include "wpi/util/SmallString.hpp"
 #include "wpi/util/SmallVector.hpp"
 #include "wpi/util/StringExtras.hpp"
+#include "wpi/util/mutex.hpp"
 #include "wpi/util/print.hpp"
 #include "wpi/util/raw_ostream.hpp"
 #include "wpi/util/sha1.hpp"
@@ -117,10 +118,14 @@ class WebSocket::ClientHandshakeData {
     // key is a random nonce
     static std::random_device rd;
     static std::default_random_engine gen{rd()};
+    static wpi::util::mutex genMutex;
     std::uniform_int_distribution<unsigned int> dist(0, 255);
     char nonce[16];  // the nonce sent to the server
-    for (char& v : nonce) {
-      v = static_cast<char>(dist(gen));
+    {
+      std::scoped_lock lock{genMutex};
+      for (char& v : nonce) {
+        v = static_cast<char>(dist(gen));
+      }
     }
     wpi::util::raw_svector_ostream os(key);
     wpi::util::Base64Encode(os, {nonce, 16});
diff --git a/wpinet/src/main/native/cpp/WebSocketSerializer.cpp b/wpinet/src/main/native/cpp/WebSocketSerializer.cpp
index 7c6b6b5848..5488d3f92a 100644
--- a/wpinet/src/main/native/cpp/WebSocketSerializer.cpp
+++ b/wpinet/src/main/native/cpp/WebSocketSerializer.cpp
@@ -6,6 +6,8 @@
 
 #include <random>
 
+#include "wpi/util/mutex.hpp"
+
 using namespace wpi::net::detail;
 
 static constexpr uint8_t FLAG_MASKING = 0x80;
@@ -63,10 +65,14 @@ size_t SerializedFrames::AddClientFrame(const WebSocket::Frame& frame) {
   // generate masking key
   static std::random_device rd;
   static std::default_random_engine gen{rd()};
+  static wpi::util::mutex genMutex;
   std::uniform_int_distribution<unsigned int> dist(0, 255);
   uint8_t key[4];
-  for (uint8_t& v : key) {
-    v = dist(gen);
+  {
+    std::scoped_lock lock{genMutex};
+    for (uint8_t& v : key) {
+      v = dist(gen);
+    }
   }
   std::memcpy(internalBuf, key, 4);
   internalBuf += 4;