Merge pull request #912 from ibondarenko1/fix/empty-pdu-crash

fix: add input validation to prevent remote crash from empty/malforme…
2026-05-06 03:38:01 +00:00 · 2026-04-20 14:36:48 +08:00
parent 2420c47cf1 444f43f6a3
commit bf0784dde4
3 changed files with 18 additions and 2 deletions
--- a/bumble/att.py
+++ b/bumble/att.py
@@ -42,7 +42,7 @@ from typing_extensions import TypeIs

 from bumble import hci, l2cap, utils
 from bumble.colors import color
-from bumble.core import UUID, InvalidOperationError, ProtocolError
+from bumble.core import UUID, InvalidOperationError, InvalidPacketError, ProtocolError
 from bumble.hci import HCI_Object

 # -----------------------------------------------------------------------------
@@ -249,6 +249,8 @@ class ATT_PDU:

    @classmethod
    def from_bytes(cls, pdu: bytes) -> ATT_PDU:
+        if not pdu:
+            raise InvalidPacketError("Empty ATT PDU")
        op_code = pdu[0]

        subclass = ATT_PDU.pdu_classes.get(op_code)
--- a/bumble/hfp.py
+++ b/bumble/hfp.py
@@ -68,6 +68,8 @@ class HfpProtocolError(ProtocolError):

 # -----------------------------------------------------------------------------
 class HfpProtocol:
+    MAX_BUFFER_SIZE: ClassVar[int] = 65536
+
    dlc: rfcomm.DLC
    buffer: str
    lines: collections.deque
@@ -84,10 +86,19 @@ class HfpProtocol:
    def feed(self, data: bytes | str) -> None:
        # Convert the data to a string if needed
        if isinstance(data, bytes):
-            data = data.decode('utf-8')
+            data = data.decode('utf-8', errors='replace')

        logger.debug(f'<<< Data received: {data}')

+        # Drop incoming data if it would overflow the buffer; keep existing
+        # partial packet state intact so a future clean packet can still parse.
+        if len(self.buffer) + len(data) > self.MAX_BUFFER_SIZE:
+            logger.warning(
+                'HFP buffer overflow (>%d bytes), dropping incoming data',
+                self.MAX_BUFFER_SIZE,
+            )
+            return
+
        # Add to the buffer and look for lines
        self.buffer += data
        while (separator := self.buffer.find('\r')) >= 0:
--- a/bumble/smp.py
+++ b/bumble/smp.py
@@ -36,6 +36,7 @@ from bumble.colors import color
 from bumble.core import (
    AdvertisingData,
    InvalidArgumentError,
+    InvalidPacketError,
    PhysicalTransport,
    ProtocolError,
 )
@@ -215,6 +216,8 @@ class SMP_Command:

    @classmethod
    def from_bytes(cls, pdu: bytes) -> SMP_Command:
+        if not pdu:
+            raise InvalidPacketError("Empty SMP PDU")
        code = CommandCode(pdu[0])

        subclass = SMP_Command.smp_classes.get(code)