auracaster/bumble_mirror
3
0
Fork 1
mirror of https://github.com/google/bumble.git synced 2026-05-08 03:58:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,671 Commits 19 Branches 124 Tags
b874e26a4f644fc876856dbdabc181e2fbf3dc11
Commit Graph

8 Commits

Author SHA1 Message Date
ibondarenko1
b874e26a4f avdtp: bound message assembler to drop truncated PDUs (DoS prevention) 
A remote peer can send an AVDTP frame shorter than the assembler expects.
The current MessageAssembler.on_pdu() unconditionally accesses pdu[0],
pdu[1], and (for START packets) pdu[2], so a 0-, 1-, or 2-byte frame
raises IndexError. The exception propagates up through L2CAP's read loop
and tears down the channel — same DoS class as #912 (empty ATT PDU) and
#914 (unbounded SDP recursion).

Fix: validate length before each access. Empty PDUs and packets shorter
than the type-specific minimum are logged and dropped; the assembler
stays alive so the L2CAP channel is not torn down.

- bumble/avdtp.py: length guards in MessageAssembler.on_pdu before
  accessing pdu[0], pdu[1], pdu[2].
- tests/avdtp_test.py: regression test covering empty PDU, 1-byte SINGLE,
  1-byte START, 2-byte START — all four would have raised IndexError
  pre-fix; assembler now drops without raising.
 2026-04-26 18:16:15 -07:00
Josh Wu
5dc76cf7b4 Migrate AVDTP enums 2025-10-22 20:41:51 +08:00
Josh Wu
a43b403511 Migrate AVDTP packets to dataclasses 2025-10-21 18:54:48 +08:00
Gilles Boccon-Gibod
7aba36302a use isort when formatting 2025-08-21 16:38:58 -07:00
Gilles Boccon-Gibod
0a20f14ea9 address PR comments 2024-10-15 15:26:19 -07:00
Josh Wu
495ce62d9c Typing AVDTP 2023-10-07 19:32:19 +08:00
Gilles Boccon-Gibod
135df0dcc0 format with Black 2022-12-10 09:40:12 -08:00
Gilles Boccon-Gibod
6ac91f7dec initial import 2022-05-16 19:42:31 -07:00