From 5eff7a1705e5b8b3454878e7e31568d42e05035e Mon Sep 17 00:00:00 2001 From: surengab Date: Wed, 18 Feb 2026 15:28:36 +0400 Subject: [PATCH] fix(transport_ws): add RFC 6455 validation for control frame payload size --- components/tcp_transport/transport_ws.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c index 0c130547c19..328737d393f 100644 --- a/components/tcp_transport/transport_ws.c +++ b/components/tcp_transport/transport_ws.c @@ -633,7 +633,12 @@ static int ws_read_header(esp_transport_handle_t t, char *buffer, int len, int t payload_len = (uint8_t)data_ptr[4] << 24 | (uint8_t)data_ptr[5] << 16 | (uint8_t)data_ptr[6] << 8 | data_ptr[7]; } } - + // RFC 6455 Section 5.5: Control frames MUST have payload length of 125 bytes or less + if ((ws->frame_state.opcode & WS_OPCODE_CONTROL_FRAME) && payload_len > 125) { + ESP_LOGE(TAG, "Control frame with excessive payload detected (opcode=0x%02X, payload_len=%d) - protocol violation", + ws->frame_state.opcode, payload_len); + return -1; + } if (mask) { // Read and store mask if (payload_len != 0 && (rlen = esp_transport_read_exact_size(ws, buffer, mask_len, timeout_ms)) <= 0) {