Resolve a teardown hang in LeCreditBasedChannel. When a disconnection
collision occurs (both DUT and peer call disconnect simultaneously) or the
channel is aborted during disconnection, the connection state transitions
to DISCONNECTED before the peer's response arrives (or is ignored).
In these cases, the `disconnection_result` future remained unresolved,
causing any awaiting teardown task to hang.
This patch ensures that calling abort() or receiving a disconnection request
while in the DISCONNECTING state correctly resolves `disconnection_result` and
cleans up the channel.
Verification:
Verified with a new unit test `test_abort_while_disconnecting` added to
`tests/l2cap_test.py` that stubs a non-responsive peer and calls abort()
during the DISCONNECTING state transition, confirming it completes immediately.
This change adds the missing transport-side support for sending HCI ISO Data packets
over the default Bulk Out endpoint when Isochronous endpoints are not enabled.
- Handles HCI_ISO_DATA_PACKET (0x05) in both `usb` and `pyusb` transports.
- Adds unit tests to verify the routing behavior.
TAG=agy
CONV=5502c76b-b272-4e43-a0b9-425a23cf137e
Per @zxzxwu review on #918:
- bumble/avdtp.py: replace `if len(pdu) < 1:` with `if not pdu:`
- tests/avdtp_test.py: replace `assert completed == []` with
`assert not completed`
Both are idiomatic Python truthy checks; behavior identical.
A remote peer can send an AVDTP frame shorter than the assembler expects.
The current MessageAssembler.on_pdu() unconditionally accesses pdu[0],
pdu[1], and (for START packets) pdu[2], so a 0-, 1-, or 2-byte frame
raises IndexError. The exception propagates up through L2CAP's read loop
and tears down the channel — same DoS class as #912 (empty ATT PDU) and
#914 (unbounded SDP recursion).
Fix: validate length before each access. Empty PDUs and packets shorter
than the type-specific minimum are logged and dropped; the assembler
stays alive so the L2CAP channel is not torn down.
- bumble/avdtp.py: length guards in MessageAssembler.on_pdu before
accessing pdu[0], pdu[1], pdu[2].
- tests/avdtp_test.py: regression test covering empty PDU, 1-byte SINGLE,
1-byte START, 2-byte START — all four would have raised IndexError
pre-fix; assembler now drops without raising.
Change regex match string to raw string to avoid syntax warning:
tests/sdp_test.py:218: SyntaxWarning: invalid escape sequence '\d'
assert not re.search("Expect \d+ bytes, got \d+", caplog.text)
In the future, this will become an error, so we should fix it now.
- bumble/sdp.py: replace raise ValueError with raise InvalidPacketError
in DataElement.list_from_bytes depth guard. InvalidPacketError
already imported at line 34 and extends ValueError so the existing
regression test continues to match.
- tests/sdp_test.py: remove duplicate 'import pytest' inside
test_nested_sequence_recursion_guard; pytest already imported at
module top (line 23).
Threading.local counter left as-is per zxzxwu's 'leave it here and
refactor later' comment on the PR.
DataElement.from_bytes -> list_from_bytes -> (SEQUENCE/ALTERNATIVE
constructor dispatches back to list_from_bytes) had no depth limit. A
malicious SDP peer could send a PDU of a few kilobytes containing ~1000
nested SEQUENCE tags and exhaust the Python recursion stack, crashing the
host with an unhandled RecursionError propagating out of the SDP handler.
Reachable via: any remote Bluetooth device that Bumble performs SDP
service discovery against (default during Classic connection setup).
Same family as PR #912 (ATT_PDU.from_bytes empty PDU IndexError) - remote
unchecked-input parser crash in the Bluetooth stack.
Fix: thread-local depth counter, cap nesting at 32 (well above anything a
legitimate service record uses). Added two regression tests covering the
deep-nesting reject path and normal 16-level-nested SEQUENCE parsing.
Reproducer (4.5 KB payload, deterministic crash on 0.0.228):
from bumble.sdp import DataElement
inner = b"\x35\x00"
for _ in range(1500):
size = len(inner)
if size < 65535:
inner = bytes([0x36, (size >> 8) & 0xFF, size & 0xFF]) + inner
DataElement.from_bytes(inner) # RecursionError before fix
Signed-off-by: ibondarenko1 <ibondarenko1@users.noreply.github.com>
uier