From d57e7cf20d805032740a8b173ea53ea0da1cce62 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 21 Sep 2025 10:18:13 +0200
Subject: [PATCH] ws: reject curl_ws_recv called with NULL buffer with a buflen

Arguably this is just a bad application.

Reported in Joshua's sarif data

Closes #18656
---
 lib/ws.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ws.c b/lib/ws.c
index c840961d10..b6ab28a35a 100644
--- a/lib/ws.c
+++ b/lib/ws.c
@@ -1502,7 +1502,7 @@ CURLcode curl_ws_recv(CURL *d, void *buffer,
 
   *nread = 0;
   *metap = NULL;
-  if(!GOOD_EASY_HANDLE(data))
+  if(!GOOD_EASY_HANDLE(data) || (buflen && !buffer))
     return CURLE_BAD_FUNCTION_ARGUMENT;
 
   conn = data->conn;
-- 
2.47.3