Merge pull request #918 from ibondarenko1/fix/avdtp-empty-pdu-guard

avdtp: bound message assembler to drop truncated PDUs (DoS prevention)
2026-05-08 03:58:01 +00:00 · 2026-04-27 10:01:51 +08:00
parent 80f54f2a09 07b5e33e09
commit 05accbf805
2 changed files with 49 additions and 0 deletions
--- a/tests/avdtp_test.py
+++ b/tests/avdtp_test.py
@@ -120,6 +120,31 @@ def test_messages(message: avdtp.Message):
    assert message.payload == parsed.payload


+# -----------------------------------------------------------------------------
+@pytest.mark.parametrize(
+    'pdu',
+    (
+        b'',  # empty PDU — would IndexError on pdu[0]
+        b'\x00',  # 1-byte SINGLE_PACKET — would IndexError on pdu[1]
+        b'\x04',  # 1-byte START_PACKET — would IndexError on pdu[1]
+        b'\x44\x10',  # 2-byte START_PACKET — would IndexError on pdu[2]
+    ),
+)
+def test_message_assembler_truncated_pdu(pdu: bytes):
+    """Truncated AVDTP PDUs from a remote peer must NOT raise IndexError —
+    same DoS class as #912 (ATT empty PDU). The assembler is required to
+    log + drop and stay alive so the L2CAP channel survives."""
+    completed = []
+
+    def callback(transaction_label, message):
+        completed.append((transaction_label, message))
+
+    assembler = avdtp.MessageAssembler(callback)
+    # Must not raise; nothing should be delivered to callback either.
+    assembler.on_pdu(pdu)
+    assert not completed
+
+
 # -----------------------------------------------------------------------------
 def test_rtp():
    packet = bytes.fromhex(