From a25dbf933628b33ea47bb2041015a7b5d069193f Mon Sep 17 00:00:00 2001
From: Christien Rioux <chris@veilid.org>
Date: Wed, 7 May 2025 10:57:43 -0400
Subject: [PATCH] reject connections with invalid framing

---
 veilid-core/src/network_manager/native/protocol/tcp.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/veilid-core/src/network_manager/native/protocol/tcp.rs b/veilid-core/src/network_manager/native/protocol/tcp.rs
index bfb14f36..b3517ab3 100644
--- a/veilid-core/src/network_manager/native/protocol/tcp.rs
+++ b/veilid-core/src/network_manager/native/protocol/tcp.rs
@@ -151,6 +151,14 @@ impl RawTcpProtocolHandler {
             return Ok(None);
         }
 
+        // Ensure this has a chance of being proper framed, otherwise drop the connection
+        // This will keep upgraded WS->WSS TLS negotiations from getting punished if the
+        // WSS accept handler isn't enabled
+        if peekbuf[0] != b'V' || peekbuf[1] != b'L' {
+            // Not framed TCP, drop it
+            return Ok(None);
+        }
+
         let peer_addr = PeerAddress::new(
             SocketAddress::from_socket_addr(socket_addr),
             ProtocolType::TCP,