From d22d5e83b4efe7b2bfa7b3d5b23e6233d9eaec83 Mon Sep 17 00:00:00 2001
From: surengab <suren.gabrielyan@espressif.com>
Date: Wed, 20 May 2026 16:56:24 +0400
Subject: [PATCH] fix(ws_transport): reject oversized 64-bit WebSocket payload
 length

---
 components/tcp_transport/transport_ws.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c
index e6e4df3cee5..87b2c98af08 100644
--- a/components/tcp_transport/transport_ws.c
+++ b/components/tcp_transport/transport_ws.c
@@ -625,12 +625,15 @@ static int ws_read_header(esp_transport_handle_t t, char *buffer, int len, int t
             return rlen;
         }
 
-        if (data_ptr[0] != 0 || data_ptr[1] != 0 || data_ptr[2] != 0 || data_ptr[3] != 0) {
-            // really too big!
-            payload_len = 0xFFFFFFFF;
-        } else {
-            payload_len = (uint8_t)data_ptr[4] << 24 | (uint8_t)data_ptr[5] << 16 | (uint8_t)data_ptr[6] << 8 | data_ptr[7];
+        if (data_ptr[0] != 0 || data_ptr[1] != 0 || data_ptr[2] != 0 || data_ptr[3] != 0 ||
+            ((uint8_t)data_ptr[4] & 0x80)) {
+            ESP_LOGE(TAG, "Payload length out of range");
+            return -1;
         }
+        payload_len = (int)((uint32_t)(uint8_t)data_ptr[4] << 24 |
+                            (uint32_t)(uint8_t)data_ptr[5] << 16 |
+                            (uint32_t)(uint8_t)data_ptr[6] << 8 |
+                            (uint32_t)(uint8_t)data_ptr[7]);
     }
     // RFC 6455 Section 5.5: Control frames MUST have payload length of 125 bytes or less
     if ((ws->frame_state.opcode & WS_OPCODE_CONTROL_FRAME) && payload_len > 125) {