From 4a10293f841be16945e38c4e1b569e7354b51096 Mon Sep 17 00:00:00 2001
From: Derek Meer <derek@meerific.com>
Date: Wed, 19 Mar 2025 04:13:28 -0700
Subject: [PATCH] redbean: fix restricted websockets opcode checks

---
 tool/net/redbean.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tool/net/redbean.c b/tool/net/redbean.c
index e400ff611..93d714bf9 100644
--- a/tool/net/redbean.c
+++ b/tool/net/redbean.c
@@ -5229,12 +5229,12 @@ static int LuaWSRead(lua_State *L) {
 
   // reserved bit set
   if (header[0] & 0x70) goto close;
-  // reserved opcode
-  if ((header[0] & 0x7) > 0x3) goto close;
-  // payload data is unmasked
-  if (!(header[1] | (1 << 7))) goto close;
 
   opcode = header[0] & 0xF;
+  // reserved opcode
+  if ((opcode & 0x7) >= 0x3 || opcode > 0xA) goto close;
+  // payload data is unmasked
+  if (!(header[1] | (1 << 7))) goto close;
   // not in continuation
   if (!wsfragtype && !opcode) goto close;