From a0c18b68de520bd86feaed4e4076afbfe4f0b48d Mon Sep 17 00:00:00 2001
From: surengab <suren.gabrielyan@espressif.com>
Date: Wed, 18 Feb 2026 15:24:44 +0400
Subject: [PATCH] fix(transport_ws): reject reserved opcodes per RFC 6455

---
 components/tcp_transport/transport_ws.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c
index 2949833678..6e6172fbae 100644
--- a/components/tcp_transport/transport_ws.c
+++ b/components/tcp_transport/transport_ws.c
@@ -563,6 +563,14 @@ static int ws_read_header(esp_transport_handle_t t, char *buffer, int len, int t
         ESP_LOGE(TAG, "Non-zero RSV bits detected (rsv=0x%02X) - protocol violation, no extensions negotiated", rsv);
         return -1;
     }
+
+    // RFC 6455 Section 5.2: Validate opcode (only 0x0-0x2 for data, 0x8-0xA for control are defined)
+    if ((ws->frame_state.opcode >= 0x3 && ws->frame_state.opcode <= 0x7) ||
+        (ws->frame_state.opcode >= 0xB && ws->frame_state.opcode <= 0xF)) {
+        ESP_LOGE(TAG, "Reserved opcode detected (opcode=0x%02X) - protocol violation", ws->frame_state.opcode);
+        return -1;
+    }
+
     if (payload_len == 126) {
         // headerLen += 2;
         if ((rlen = esp_transport_read_exact_size(ws, data_ptr, header, timeout_ms)) <= 0) {