Security fixes: prevent integer underflow and null pointer vulnerabilities

- MQTT: Add bounds validation for topic_len in PUBLISH packets to prevent
  integer underflow leading to heap buffer overflow (CVE-worthy)
- MQTT: Add length validation for PUBREC packets before buffer access
- Message: Fix potential null pointer dereference when NMEA vector is empty
  in getNMEAJSON()
- WebSocket: Fix PING handler - validate payload <= 125 bytes per RFC 6455,
  remove incorrect mask bit from PONG response
- WebSocket: Consolidate buffer bounds checking with overflow protection

Author: jvde-github