From 856108be39e83bd45954e5fb42661caf480f985d Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Fri, 19 Jun 2026 21:59:49 +0530
Subject: [PATCH] reject oversized websocket origin in callback_broker_mqtt

---
 src/mqtt_broker.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/mqtt_broker.c b/src/mqtt_broker.c
index 525e1ca5..5e20593f 100644
--- a/src/mqtt_broker.c
+++ b/src/mqtt_broker.c
@@ -1016,10 +1016,17 @@ static int callback_broker_mqtt(struct lws *wsi,
             char origin[256];
             int olen = lws_hdr_copy(wsi, origin, (int)sizeof(origin),
                 WSI_TOKEN_ORIGIN);
-            if (olen > 0 &&
-                    XSTRCMP(origin, broker->ws_allowed_origin) != 0) {
+            /* lws_hdr_copy returns <= 0 both when no Origin header is sent
+             * (native client, allowed) and when a present Origin is too long
+             * for the buffer. Deciding on olen alone lets an attacker-chosen
+             * Origin longer than the buffer be treated as absent and slip past
+             * the allowlist. Use the header's real length to tell the two
+             * apart and reject a present-but-unverifiable Origin. */
+            if (lws_hdr_total_length(wsi, WSI_TOKEN_ORIGIN) > 0 &&
+                    (olen <= 0 ||
+                     XSTRCMP(origin, broker->ws_allowed_origin) != 0)) {
                 WBLOG_ERR(broker, "broker: ws origin rejected: %s",
-                    BrokerLog_Sanitize(origin));
+                    BrokerLog_Sanitize(olen > 0 ? origin : "(oversized)"));
                 return -1;
             }
         }