From b87613b55bc19fb5030aa8df970763889fad7fb1 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Wed, 11 Feb 2026 13:29:39 +0530
Subject: [PATCH 1/2] fix(esp_local_ctrl): validate payload_case matches
 msg_type in command dispatcher

The command dispatcher routed handlers based solely on msg_type without
verifying that the protobuf payload_case field matched. A crafted message
with mismatched msg_type and payload_case could cause type confusion,
leading to an out-of-bounds read or NULL pointer dereference.

Add expected_payload_case to the command table and validate it in the
dispatcher before invoking any handler.

Please note that this issue was applicable for authenticated clients
only (with security1/2 scheme) and hence the impact is on lower side.
---
 .../esp_local_ctrl/src/esp_local_ctrl_handler.c      | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/components/esp_local_ctrl/src/esp_local_ctrl_handler.c b/components/esp_local_ctrl/src/esp_local_ctrl_handler.c
index 65a6b4ed7a..bb1874d237 100644
--- a/components/esp_local_ctrl/src/esp_local_ctrl_handler.c
+++ b/components/esp_local_ctrl/src/esp_local_ctrl_handler.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -25,6 +25,7 @@ static const char* TAG = "esp_local_ctrl_handler";
 
 typedef struct esp_local_ctrl_cmd {
     int cmd_num;
+    int expected_payload_case;
     esp_err_t (*command_handler)(LocalCtrlMessage *req,
                                  LocalCtrlMessage *resp, void **ctx);
 } esp_local_ctrl_cmd_t;
@@ -41,14 +42,17 @@ static esp_err_t cmd_set_prop_vals_handler(LocalCtrlMessage *req,
 static esp_local_ctrl_cmd_t cmd_table[] = {
     {
         .cmd_num = LOCAL_CTRL_MSG_TYPE__TypeCmdGetPropertyCount,
+        .expected_payload_case = LOCAL_CTRL_MESSAGE__PAYLOAD_CMD_GET_PROP_COUNT,
         .command_handler = cmd_get_prop_count_handler
     },
     {
         .cmd_num = LOCAL_CTRL_MSG_TYPE__TypeCmdGetPropertyValues,
+        .expected_payload_case = LOCAL_CTRL_MESSAGE__PAYLOAD_CMD_GET_PROP_VALS,
         .command_handler = cmd_get_prop_vals_handler
     },
     {
         .cmd_num = LOCAL_CTRL_MSG_TYPE__TypeCmdSetPropertyValues,
+        .expected_payload_case = LOCAL_CTRL_MESSAGE__PAYLOAD_CMD_SET_PROP_VALS,
         .command_handler = cmd_set_prop_vals_handler
     }
 };
@@ -238,6 +242,12 @@ static esp_err_t esp_local_ctrl_command_dispatcher(LocalCtrlMessage *req,
         return ESP_ERR_INVALID_ARG;
     }
 
+    if (req->payload_case != cmd_table[cmd_index].expected_payload_case) {
+        ESP_LOGE(TAG, "Payload type mismatch: msg_type %d expects payload %d, got %d",
+                 req->msg, cmd_table[cmd_index].expected_payload_case, req->payload_case);
+        return ESP_ERR_INVALID_ARG;
+    }
+
     esp_err_t ret = cmd_table[cmd_index].command_handler(req, resp, ctx);
     if (ret != ESP_OK) {
         ESP_LOGE(TAG, "Error executing command handler");

From 439026e5ea81643614e6ad7c4747c42d977208b9 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Wed, 11 Feb 2026 13:55:44 +0530
Subject: [PATCH 2/2] docs(protocomm): recommend using security2 scheme for
 production purpose

---
 components/protocomm/Kconfig                             | 4 ++++
 docs/en/api-reference/protocols/esp_local_ctrl.rst       | 3 +++
 docs/en/api-reference/provisioning/protocomm.rst         | 3 +++
 docs/zh_CN/api-reference/protocols/esp_local_ctrl.rst    | 3 +++
 docs/zh_CN/api-reference/provisioning/protocomm.rst      | 3 +++
 examples/protocols/esp_local_ctrl/main/Kconfig.projbuild | 9 +++++++++
 6 files changed, 25 insertions(+)

diff --git a/components/protocomm/Kconfig b/components/protocomm/Kconfig
index 4c7c51de24..1b4f788588 100644
--- a/components/protocomm/Kconfig
+++ b/components/protocomm/Kconfig
@@ -5,6 +5,8 @@ menu "Protocomm"
         default n
         help
             Enable support of security version 0.
+            This version provides no encryption or authentication and should
+            not be used in production. Use only for development and testing.
             Disabling this option saves some code size.
             Consult the Enabling protocomm security version section of the
             Protocomm documentation in ESP-IDF Programming guide for more details.
@@ -14,6 +16,8 @@ menu "Protocomm"
         default n
         help
             Enable support of security version 1.
+            Security version 2 (SRP6a + AES-GCM) is recommended over this
+            version for new designs.
             Disabling this option saves some code size.
             Consult the Enabling protocomm security version section of the
             Protocomm documentation in ESP-IDF Programming guide for more details.
diff --git a/docs/en/api-reference/protocols/esp_local_ctrl.rst b/docs/en/api-reference/protocols/esp_local_ctrl.rst
index 91ecf793e8..5c7f20a217 100644
--- a/docs/en/api-reference/protocols/esp_local_ctrl.rst
+++ b/docs/en/api-reference/protocols/esp_local_ctrl.rst
@@ -97,6 +97,9 @@ You may set security for transport in ESP local control using following options:
 3. ``PROTOCOM_SEC0``: specifies that data will be exchanged as a plain text (no security).
 4. ``PROTOCOM_SEC_CUSTOM``: you can define your own security requirement. Please note that you will also have to provide ``custom_handle`` of type ``protocomm_security_t *`` in this context.
 
+.. warning::
+    It is strongly recommended to use ``PROTOCOM_SEC2`` for production deployments. ``PROTOCOM_SEC0`` provides no encryption or authentication, leaving device properties exposed to any client on the local network. ``PROTOCOM_SEC1`` provides weaker security compared to ``PROTOCOM_SEC2`` and its use is discouraged for new designs.
+
 .. note::
     The respective security schemes need to be enabled through the project configuration menu. Please refer to the Enabling protocom security version section in :doc:`Protocol Communication </api-reference/provisioning/protocomm>` for more details.
 
diff --git a/docs/en/api-reference/provisioning/protocomm.rst b/docs/en/api-reference/provisioning/protocomm.rst
index fc90fbbbd9..344a22f1e1 100644
--- a/docs/en/api-reference/provisioning/protocomm.rst
+++ b/docs/en/api-reference/provisioning/protocomm.rst
@@ -49,6 +49,9 @@ The protocomm component provides a project configuration menu to enable/disable
 
     Enabling multiple security versions at once offers the ability to control them dynamically but also increases the firmware size.
 
+.. warning::
+    ``protocomm_security0`` provides no encryption or authentication and should not be used in production. ``protocomm_security2`` (SRP6a + AES-GCM) is the recommended security version for all production use cases.
+
 .. only:: SOC_WIFI_SUPPORTED
 
     SoftAP + HTTP Transport Example with Security 2
diff --git a/docs/zh_CN/api-reference/protocols/esp_local_ctrl.rst b/docs/zh_CN/api-reference/protocols/esp_local_ctrl.rst
index 6c05e818f4..30473c442a 100644
--- a/docs/zh_CN/api-reference/protocols/esp_local_ctrl.rst
+++ b/docs/zh_CN/api-reference/protocols/esp_local_ctrl.rst
@@ -97,6 +97,9 @@ ESP 本地控制
 3. ``PROTOCOM_SEC0``: 指定以明文（无安全性）方式交换数据。
 4. ``PROTOCOM_SEC_CUSTOM``: 自定义安全需求。注意，使用这一选项时，必须提供 ``protocomm_security_t *`` 类型的 ``custom_handle``。
 
+.. warning::
+    强烈建议在生产部署中使用 ``PROTOCOM_SEC2``。``PROTOCOM_SEC0`` 不提供加密或身份验证，本地网络上的任何客户端都可以访问设备属性。``PROTOCOM_SEC1`` 的安全性弱于 ``PROTOCOM_SEC2``，不建议在新设计中使用。
+
 .. note::
     相应的安全方案需通过项目配置菜单启用。要了解详情，请参考 :doc:`Protocol Communication </api-reference/provisioning/protocomm>` 中关于启用 protocomm 安全版本的章节。
 
diff --git a/docs/zh_CN/api-reference/provisioning/protocomm.rst b/docs/zh_CN/api-reference/provisioning/protocomm.rst
index 0865d11396..b3c61286bf 100644
--- a/docs/zh_CN/api-reference/provisioning/protocomm.rst
+++ b/docs/zh_CN/api-reference/provisioning/protocomm.rst
@@ -49,6 +49,9 @@ Protocomm 为以下各种传输提供框架：
 
     启用多个安全版本后可以动态控制安全版本，但也会增加固件大小。
 
+.. warning::
+    ``protocomm_security0`` 不提供加密或身份验证，不应在生产环境中使用。建议在所有生产场景中使用 ``protocomm_security2`` （SRP6a + AES-GCM）。
+
 .. only:: SOC_WIFI_SUPPORTED
 
     使用 Security 2 的 SoftAP + HTTP 传输方案示例
diff --git a/examples/protocols/esp_local_ctrl/main/Kconfig.projbuild b/examples/protocols/esp_local_ctrl/main/Kconfig.projbuild
index f1301ec9f7..f68f7e647f 100644
--- a/examples/protocols/esp_local_ctrl/main/Kconfig.projbuild
+++ b/examples/protocols/esp_local_ctrl/main/Kconfig.projbuild
@@ -27,14 +27,23 @@ menu "Example Configuration"
         config EXAMPLE_PROTOCOMM_SECURITY_VERSION_0
             bool "Security Version 0"
             select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
+            help
+                No security. Data is exchanged as plain text.
+                This mode is not recommended for production use.
 
         config EXAMPLE_PROTOCOMM_SECURITY_VERSION_1
             bool "Security version 1"
             select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
+            help
+                Curve25519 key exchange + AES-CTR encryption.
+                Security version 2 is recommended over this for new designs.
 
         config EXAMPLE_PROTOCOMM_SECURITY_VERSION_2
             bool "Security version 2"
             select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
+            help
+                SRP6a-based key exchange + AES-GCM encryption. Preferred security
+                version for new designs.
     endchoice
 
     choice EXAMPLE_PROTOCOMM_SEC2_MODE