Merge pull request #913 from zxzxwu/sdp

SDP: Fix wrong parameter size
2026-05-06 03:38:01 +00:00 · 2026-04-20 16:32:37 +08:00 · 2026-04-20 16:23:19 +08:00 · 2026-04-20 14:36:48 +08:00 · 2026-04-16 11:24:09 -07:00 · 2026-04-16 18:11:57 +02:00
9 changed files with 72 additions and 55 deletions
--- a/bumble/att.py
+++ b/bumble/att.py
@@ -42,7 +42,7 @@ from typing_extensions import TypeIs

 from bumble import hci, l2cap, utils
 from bumble.colors import color
-from bumble.core import UUID, InvalidOperationError, ProtocolError
+from bumble.core import UUID, InvalidOperationError, InvalidPacketError, ProtocolError
 from bumble.hci import HCI_Object

 # -----------------------------------------------------------------------------
@@ -249,6 +249,8 @@ class ATT_PDU:

    @classmethod
    def from_bytes(cls, pdu: bytes) -> ATT_PDU:
+        if not pdu:
+            raise InvalidPacketError("Empty ATT PDU")
        op_code = pdu[0]

        subclass = ATT_PDU.pdu_classes.get(op_code)
--- a/bumble/hfp.py
+++ b/bumble/hfp.py
@@ -68,6 +68,8 @@ class HfpProtocolError(ProtocolError):

 # -----------------------------------------------------------------------------
 class HfpProtocol:
+    MAX_BUFFER_SIZE: ClassVar[int] = 65536
+
    dlc: rfcomm.DLC
    buffer: str
    lines: collections.deque
@@ -84,10 +86,19 @@ class HfpProtocol:
    def feed(self, data: bytes | str) -> None:
        # Convert the data to a string if needed
        if isinstance(data, bytes):
-            data = data.decode('utf-8')
+            data = data.decode('utf-8', errors='replace')

        logger.debug(f'<<< Data received: {data}')

+        # Drop incoming data if it would overflow the buffer; keep existing
+        # partial packet state intact so a future clean packet can still parse.
+        if len(self.buffer) + len(data) > self.MAX_BUFFER_SIZE:
+            logger.warning(
+                'HFP buffer overflow (>%d bytes), dropping incoming data',
+                self.MAX_BUFFER_SIZE,
+            )
+            return
+
        # Add to the buffer and look for lines
        self.buffer += data
        while (separator := self.buffer.find('\r')) >= 0:
--- a/bumble/host.py
+++ b/bumble/host.py
@@ -692,10 +692,8 @@ class Host(utils.EventEmitter):
        finally:
            self.pending_command = None
            self.pending_response = None
-            if (
-                response is not None
-                and response.num_hci_command_packets
-                and self.command_semaphore.locked()
+            if response is None or (
+                response.num_hci_command_packets and self.command_semaphore.locked()
            ):
                self.command_semaphore.release()

--- a/bumble/sdp.py
+++ b/bumble/sdp.py
@@ -594,7 +594,10 @@ class SDP_PDU:

    @classmethod
    def from_bytes(cls, pdu: bytes) -> SDP_PDU:
-        pdu_id, transaction_id, _parameters_length = struct.unpack_from('>BHH', pdu, 0)
+        pdu_id, transaction_id, parameters_length = struct.unpack_from('>BHH', pdu, 0)
+
+        if len(pdu) != 5 + parameters_length:
+            logger.warning("Expect %d bytes, got %d", 5 + parameters_length, len(pdu))

        subclass = cls.subclasses.get(pdu_id)
        if not (subclass := cls.subclasses.get(pdu_id)):
@@ -616,9 +619,11 @@ class SDP_PDU:

    def __bytes__(self):
        if self._payload is None:
-            self._payload = struct.pack(
-                '>BHH', self.pdu_id, self.transaction_id, 0
-            ) + hci.HCI_Object.dict_to_bytes(self.__dict__, self.fields)
+            parameters = hci.HCI_Object.dict_to_bytes(self.__dict__, self.fields)
+            self._payload = (
+                struct.pack('>BHH', self.pdu_id, self.transaction_id, len(parameters))
+                + parameters
+            )
        return self._payload

    @property
--- a/bumble/smp.py
+++ b/bumble/smp.py
@@ -36,6 +36,7 @@ from bumble.colors import color
 from bumble.core import (
    AdvertisingData,
    InvalidArgumentError,
+    InvalidPacketError,
    PhysicalTransport,
    ProtocolError,
 )
@@ -215,6 +216,8 @@ class SMP_Command:

    @classmethod
    def from_bytes(cls, pdu: bytes) -> SMP_Command:
+        if not pdu:
+            raise InvalidPacketError("Empty SMP PDU")
        code = CommandCode(pdu[0])

        subclass = SMP_Command.smp_classes.get(code)
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -657,18 +657,6 @@ dependencies = [
 "wasi",
 ]

-[[package]]
-name = "getrandom"
-version = "0.3.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
-dependencies = [
- "cfg-if",
- "libc",
- "r-efi",
- "wasip2",
-]
-
 [[package]]
 name = "gimli"
 version = "0.28.0"
@@ -1413,27 +1401,22 @@ dependencies = [
 "proc-macro2",
 ]

-[[package]]
-name = "r-efi"
-version = "5.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
-
 [[package]]
 name = "rand"
-version = "0.9.3"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ec095654a25171c2124e9e3393a930bddbffdc939556c914957a4c3e0a87166"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
+ "libc",
 "rand_chacha",
 "rand_core",
 ]

 [[package]]
 name = "rand_chacha"
-version = "0.9.0"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
 dependencies = [
 "ppv-lite86",
 "rand_core",
@@ -1441,11 +1424,11 @@ dependencies = [

 [[package]]
 name = "rand_core"
-version = "0.9.5"
+version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
 dependencies = [
- "getrandom 0.3.4",
+ "getrandom",
 ]

 [[package]]
@@ -1472,7 +1455,7 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
 dependencies = [
- "getrandom 0.2.10",
+ "getrandom",
 "redox_syscall 0.2.16",
 "thiserror",
 ]
@@ -2045,15 +2028,6 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"

-[[package]]
-name = "wasip2"
-version = "1.0.2+wasi-0.2.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
-dependencies = [
- "wit-bindgen",
-]
-
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.87"
@@ -2309,9 +2283,3 @@ dependencies = [
 "cfg-if",
 "windows-sys 0.48.0",
 ]
-
-[[package]]
-name = "wit-bindgen"
-version = "0.51.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
--- a/rust/Cargo.toml
+++ b/rust/Cargo.toml
@@ -57,7 +57,7 @@ anyhow = "1.0.71"
 pyo3 = { version = "0.18.3", features = ["macros", "anyhow"] }
 pyo3-asyncio = { version = "0.18.0", features = ["tokio-runtime", "attributes", "testing"] }
 rusb = "0.9.2"
-rand = "0.9.3"
+rand = "0.8.5"
 clap = { version = "4.3.3", features = ["derive"] }
 owo-colors = "3.5.0"
 log = "0.4.19"
--- a/tests/host_test.py
+++ b/tests/host_test.py
@@ -171,14 +171,15 @@ class Source:


 class Sink:
-    response: HCI_Event
+    response: HCI_Event | None

-    def __init__(self, source: Source, response: HCI_Event) -> None:
+    def __init__(self, source: Source, response: HCI_Event | None) -> None:
        self.source = source
        self.response = response

    def on_packet(self, packet: bytes) -> None:
-        self.source.sink.on_packet(bytes(self.response))
+        if self.response is not None:
+            self.source.sink.on_packet(bytes(self.response))


@pytest.mark.asyncio
@@ -228,6 +229,23 @@ async def test_send_sync_command() -> None:
    assert isinstance(response3.return_parameters, HCI_GenericReturnParameters)


+@pytest.mark.asyncio
+async def test_send_sync_command_timeout() -> None:
+    source = Source()
+    sink = Sink(source, None)
+
+    host = Host(source, sink)
+    host.ready = True
+
+    with pytest.raises(asyncio.TimeoutError):
+        await host.send_sync_command(HCI_Reset_Command(), response_timeout=0.01)
+
+    # The sending semaphore should have been released, so this should not block
+    # indefinitely
+    with pytest.raises(asyncio.TimeoutError):
+        await host.send_sync_command(hci.HCI_Reset_Command(), response_timeout=0.01)
+
+
@pytest.mark.asyncio
 async def test_send_async_command() -> None:
    source = Source()
--- a/tests/sdp_test.py
+++ b/tests/sdp_test.py
@@ -18,9 +18,11 @@
 import asyncio
 import logging
 import os
+import re

 import pytest

+from bumble import sdp
 from bumble.core import BT_L2CAP_PROTOCOL_ID, UUID
 from bumble.sdp import (
    SDP_BROWSE_GROUP_LIST_ATTRIBUTE_ID,
@@ -206,6 +208,16 @@ def sdp_records(record_count=1):
    }


+# -----------------------------------------------------------------------------
+def test_pdu_parameter_length(caplog) -> None:
+    caplog.set_level(logging.WARNING)
+    pdu = sdp.SDP_ErrorResponse(
+        transaction_id=0, error_code=sdp.ErrorCode.INVALID_SDP_VERSION
+    )
+    assert sdp.SDP_PDU.from_bytes(bytes(pdu)) == pdu
+    assert not re.search("Expect \d+ bytes, got \d+", caplog.text)
+
+
 # -----------------------------------------------------------------------------
@pytest.mark.asyncio
 async def test_service_search():
Author	SHA1	Message	Date
Josh Wu	27d02ef18d	Merge pull request #913 from zxzxwu/sdp SDP: Fix wrong parameter size	2026-04-20 16:32:37 +08:00
Josh Wu	c0725e2a4a	SDP: Fix wrong parameter size	2026-04-20 16:23:19 +08:00
Josh Wu	bf0784dde4	Merge pull request #912 from ibondarenko1/fix/empty-pdu-crash fix: add input validation to prevent remote crash from empty/malforme…	2026-04-20 14:36:48 +08:00
Ievgen Bondarenko	444f43f6a3	fix: address review feedback - use InvalidPacketError and abort on buffer overflow - att.py: raise core.InvalidPacketError instead of generic ValueError - smp.py: raise core.InvalidPacketError instead of generic ValueError - hfp.py: add MAX_BUFFER_SIZE class constant (64KB) - hfp.py: drop incoming data when it would overflow buffer instead of truncating, preserving existing partial-packet state Per review comments on PR #912 by @zxzxwu.	2026-04-16 11:24:09 -07:00
Gilles Boccon-Gibod	2420c47cf1	Merge pull request #911 from google/gbg/issue-910 release command semaphore after timeout	2026-04-16 18:11:57 +02:00
Ievgen Bondarenko	0a78e7506b	fix: add input validation to prevent remote crash from empty/malformed PDUs Add length checks in from_bytes() for ATT and SMP protocol parsers to prevent IndexError crashes from empty PDUs sent by remote Bluetooth devices. Also add buffer size limit and UTF-8 error handling in HFP protocol to prevent memory exhaustion and decode crashes. - bumble/att.py: validate PDU is non-empty before accessing pdu[0] - bumble/smp.py: validate PDU is non-empty before accessing pdu[0] - bumble/hfp.py: limit buffer to 64KB, handle invalid UTF-8 gracefully These issues can be triggered by a remote Bluetooth device sending malformed packets, causing denial of service on the host.	2026-04-16 01:43:41 -07:00
Gilles Boccon-Gibod	f7cc6f6657	release command semaphore after timeout	2026-04-15 16:54:54 +02:00