Merge branch 'master' into refactor/speed-aggregation-tests

bdraco · web-flow · commit ad1c35e8626a · 2026-05-20T14:18:57.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,27 @@
 
 <!-- version list -->
 
+## v0.149.13 (2026-05-20)
+
+### Bug Fixes
+
+- Bound record payload reads against rdlength overrun
+  ([#1756](https://github.com/python-zeroconf/python-zeroconf/pull/1756),
+  [`5444495`](https://github.com/python-zeroconf/python-zeroconf/commit/544449596e645fcaad3834fa0cb614a54f847a82))
+
+### Documentation
+
+- Clarify LGPL-2.1-or-later license in README
+  ([#1763](https://github.com/python-zeroconf/python-zeroconf/pull/1763),
+  [`28bb01f`](https://github.com/python-zeroconf/python-zeroconf/commit/28bb01f23951f7883d8c3af66b6d537c34c516c7))
+
+### Refactoring
+
+- Extract loopback Zeroconf fixtures and mock_incoming_msg helper
+  ([#1758](https://github.com/python-zeroconf/python-zeroconf/pull/1758),
+  [`cb0af4a`](https://github.com/python-zeroconf/python-zeroconf/commit/cb0af4a8f4cdaad3721a2851d9fa17709d39ae62))
+
+
 ## v0.149.12 (2026-05-20)
 
 ### Bug Fixes
diff --git a/README.rst b/README.rst
@@ -151,4 +151,10 @@ Changelog
 License
 =======
 
-LGPL, see COPYING file for details.
+GNU Lesser General Public License v2.1 or later (LGPL-2.1-or-later).
+
+The full text of LGPL 2.1 is included in the `COPYING <COPYING>`_ file.
+You may, at your option, use this library under the terms of any later
+version of the LGPL published by the Free Software Foundation. The
+canonical SPDX identifier for this project is ``LGPL-2.1-or-later``, as
+declared in ``pyproject.toml``.
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api"
 
 [project]
 name = "zeroconf"
-version = "0.149.12"
+version = "0.149.13"
 license = "LGPL-2.1-or-later"
 description = "A pure python implementation of multicast DNS service discovery"
 readme = "README.rst"
diff --git a/src/zeroconf/__init__.py b/src/zeroconf/__init__.py
@@ -88,7 +88,7 @@
 
 __author__ = "Paul Scott-Murphy, William McBrine"
 __maintainer__ = "Jakub Stasiak <jakub@stasiak.at>"
-__version__ = "0.149.12"
+__version__ = "0.149.13"
 __license__ = "LGPL"
 
 
diff --git a/src/zeroconf/_core.py b/src/zeroconf/_core.py
@@ -104,6 +104,13 @@
 
 _REGISTER_BROADCASTS = 3
 
+# RFC 6762 §8.1 thundering-herd avoidance: wait a random
+# 0-250ms before the first probe so simultaneously-started
+# responders don't collide. We default to 150-250ms to
+# preserve existing timing assumptions; tests on loopback
+# may patch this lower via the `quick_timing` fixture.
+_PROBE_RANDOM_DELAY_INTERVAL = (150, 250)  # ms
+
 
 def async_send_with_transport(
     log_debug: bool,
@@ -561,7 +568,7 @@ async def async_check_service(
 
         # Wait a random amount of time up avoid collisions and avoid
         # a thundering herd when multiple services are started on the network
-        await self.async_wait(random.randint(150, 250))  # noqa: S311
+        await self.async_wait(random.randint(*_PROBE_RANDOM_DELAY_INTERVAL))  # noqa: S311
 
         next_instance_number = 2
         next_time = now = current_time_millis()
diff --git a/src/zeroconf/_protocol/incoming.py b/src/zeroconf/_protocol/incoming.py
@@ -254,12 +254,27 @@ def _read_character_string(self) -> str:
         """Reads a character string from the packet"""
         length = self.view[self.offset]
         self.offset += 1
+        # Python slicing silently truncates when indices exceed the buffer,
+        # but self.offset still advances by the declared length below; without
+        # this check a record with an inflated character-string length would
+        # land in the cache carrying a payload shorter than the wire claimed
+        # and leave the parser pointed past _data_len for the next record.
+        if self.offset + length > self._data_len:
+            raise IncomingDecodeError(
+                f"Character string length {length} at offset {self.offset} overruns "
+                f"packet of {self._data_len} bytes from {self.source}"
+            )
         info = self.data[self.offset : self.offset + length].decode("utf-8", "replace")
         self.offset += length
         return info
 
     def _read_string(self, length: _int) -> bytes:
         """Reads a string of a given length from the packet"""
+        if self.offset + length > self._data_len:
+            raise IncomingDecodeError(
+                f"String length {length} at offset {self.offset} overruns "
+                f"packet of {self._data_len} bytes from {self.source}"
+            )
         info = self.data[self.offset : self.offset + length]
         self.offset += length
         return info
@@ -297,6 +312,19 @@ def _read_others(self) -> None:
                     self.data,
                     exc_info=True,
                 )
+            if rec is not None and self.offset != end:
+                # The decoded record consumed a different number of bytes than
+                # rdlength advertised. The record is built from a slice that
+                # straddles its rdata boundary, so drop it and resync to the
+                # declared end so the next record header lands aligned.
+                log.debug(
+                    "Record for %s with type %s did not consume exactly rdlength=%d; dropping",
+                    domain,
+                    _TYPES.get(type_, type_),
+                    length,
+                )
+                self.offset = end
+                rec = None
             if rec is not None:
                 self._answers.append(rec)
 
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -82,17 +82,22 @@ def quick_timing() -> Generator[None]:
     """Shorten the probe/announce/goodbye/first-query intervals for tests on loopback.
 
     The production values (_CHECK_TIME=500ms, _REGISTER_TIME=225ms,
-    _UNREGISTER_TIME=125ms, _FIRST_QUERY_DELAY_RANDOM_INTERVAL=20-120ms)
-    exist for RFC 6762 interop on real networks (§8.1 thundering-herd
-    avoidance for probing, §5.2 for the initial-query delay). Tests on
-    127.0.0.1 do not need them and pay 1-2s per register/unregister
-    cycle and 20-120ms per ServiceBrowser startup without this fixture.
-    Opt in by adding `quick_timing` to a test's argument list.
+    _UNREGISTER_TIME=125ms, _PROBE_RANDOM_DELAY_INTERVAL=150-250ms,
+    _FIRST_QUERY_DELAY_RANDOM_INTERVAL=20-120ms) exist for RFC 6762
+    interop on real networks (§8.1 thundering-herd avoidance for
+    probing, §5.2 for the initial-query delay). Tests on 127.0.0.1
+    do not need them and pay 1-2s per register/unregister cycle,
+    150-250ms per probe, and 20-120ms per ServiceBrowser startup
+    without this fixture. Opt in either by adding `quick_timing`
+    to a test's argument list or via
+    `@pytest.mark.usefixtures("quick_timing")` on the test or
+    its class.
     """
     with (
         patch.object(_core, "_CHECK_TIME", 10),
         patch.object(_core, "_REGISTER_TIME", 10),
         patch.object(_core, "_UNREGISTER_TIME", 10),
+        patch.object(_core, "_PROBE_RANDOM_DELAY_INTERVAL", (1, 5)),
         patch.object(service_browser, "_FIRST_QUERY_DELAY_RANDOM_INTERVAL", (1, 5)),
     ):
         yield
@@ -132,9 +137,11 @@ def quick_request_timing() -> Generator[None]:
     The 200ms `_LISTENER_TIME` and 20-120ms random jitter (RFC 6762
     §5.2) help spread queries from multiple clients on real networks.
     On loopback they're pure overhead — get_service_info-style tests
-    wait ~250ms before the first query even fires. Opt in by adding
-    `quick_request_timing` to a test's argument list, then drop the
-    test's own timeouts (which had to accommodate that delay).
+    wait ~250ms before the first query even fires. Opt in either by
+    adding `quick_request_timing` to a test's argument list or via
+    `@pytest.mark.usefixtures("quick_request_timing")` on the test
+    or its class, then drop the test's own timeouts (which had to
+    accommodate that delay).
     """
     with (
         patch.object(service_info, "_LISTENER_TIME", 10),
diff --git a/tests/services/test_info.py b/tests/services/test_info.py
@@ -251,6 +251,7 @@ def test_service_info_rejects_expired_records(self):
 
     @unittest.skipIf(not has_working_ipv6(), "Requires IPv6")
     @unittest.skipIf(os.environ.get("SKIP_IPV6"), "IPv6 tests disabled")
+    @pytest.mark.usefixtures("quick_request_timing")
     def test_get_info_partial(self):
         zc = r.Zeroconf(interfaces=["127.0.0.1"])
 
diff --git a/tests/test_asyncio.py b/tests/test_asyncio.py
@@ -608,7 +608,7 @@ async def test_async_wait_unblocks_on_update(quick_timing: None) -> None:
 
 
 @pytest.mark.asyncio
-async def test_service_info_async_request(quick_timing: None) -> None:
+async def test_service_info_async_request(quick_timing: None, quick_request_timing: None) -> None:
     """Test registering services broadcasts and query with AsyncServceInfo.async_request."""
     if not has_working_ipv6() or os.environ.get("SKIP_IPV6"):
         pytest.skip("Requires IPv6")
@@ -710,13 +710,13 @@ async def test_service_info_async_request(quick_timing: None) -> None:
     aiozc.zeroconf.out_delay_queue.queue.clear()
     aiosinfo = AsyncServiceInfo(type_, registration_name)
     _clear_cache(aiozc.zeroconf)
-    # Generating the race condition is almost impossible
-    # without patching since its a TOCTOU race. 1500ms covers
-    # the initial _LISTENER_TIME + random delay (200-320ms) and
-    # leaves plenty of margin for the loopback response to land
+    # Generating the race condition is almost impossible without
+    # patching since it's a TOCTOU race. Under `quick_request_timing`
+    # the first QU query fires at ~10ms and the QM follow-up at ~15ms;
+    # 300ms leaves plenty of margin for the loopback response to land
     # before the loop times out.
     with patch("zeroconf.asyncio.AsyncServiceInfo._is_complete", False):
-        await aiosinfo.async_request(aiozc.zeroconf, 1500)
+        await aiosinfo.async_request(aiozc.zeroconf, 300)
     assert aiosinfo is not None
     assert aiosinfo.addresses == [socket.inet_aton("10.0.1.3")]
 
diff --git a/tests/test_protocol.py b/tests/test_protocol.py
@@ -886,6 +886,89 @@ def test_nsec_bitmap_truncated_window_header_rejected():
     assert not any(isinstance(a, r.DNSNsec) for a in answers)
 
 
+def test_txt_rdlength_overruns_packet_rejected():
+    """A TXT record with rdlength past the buffer must not enter the cache.
+
+    Python slicing silently truncates when the slice end exceeds the buffer,
+    so without a bounds check in ``_read_string`` a malformed wire frame
+    would land in the cache carrying a payload shorter than the rdlength
+    declared, leaving the parser desynchronized for downstream records.
+    """
+    packet = (
+        b"\x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x00"
+        b"\x04test\x05local\x00"
+        b"\x00\x10\x80\x01"
+        b"\x00\x00\x11\x94"
+        b"\xff\xff"
+        b"\x05hello"
+    )
+    parsed = r.DNSIncoming(packet)
+    assert parsed.valid
+    assert parsed.answers() == []
+
+
+def test_hinfo_character_string_length_overruns_record_rejected():
+    """A HINFO character string declaring more bytes than remain must be rejected."""
+    packet = (
+        b"\x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x00"
+        b"\x04test\x05local\x00"
+        b"\x00\x0d\x80\x01"
+        b"\x00\x00\x11\x94"
+        b"\x00\x07"
+        b"\x03cpu"
+        b"\xff\xff\xff"
+    )
+    parsed = r.DNSIncoming(packet)
+    assert parsed.valid
+    assert not any(isinstance(a, r.DNSHinfo) for a in parsed.answers())
+
+
+def test_a_record_rdlength_overruns_packet_rejected():
+    """An A record whose 4-byte address would walk past the buffer must be rejected."""
+    packet = (
+        b"\x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x00"
+        b"\x04test\x05local\x00"
+        b"\x00\x01\x80\x01"
+        b"\x00\x00\x11\x94"
+        b"\x00\x04"
+        b"\xc0\xa8"
+    )
+    parsed = r.DNSIncoming(packet)
+    assert parsed.valid
+    assert not any(isinstance(a, r.DNSAddress) for a in parsed.answers())
+
+
+def test_record_consuming_more_than_rdlength_dropped_and_resyncs():
+    """A record whose decoded fields overrun its rdlength must drop and resync.
+
+    The first answer is a HINFO with ``rdlength=2`` and rdata ``\\x01x`` (one
+    char string ``"x"``). The second character string's length byte then comes
+    from the next record's name (``\\x00``, root domain), so the HINFO would
+    silently parse as ``cpu="x", os=""`` but leave the offset one byte past
+    the declared end, smearing the second record's framing. With the per-record
+    boundary check the bogus HINFO is dropped and the second record decodes.
+    """
+    packet = (
+        b"\x00\x00\x84\x00\x00\x00\x00\x02\x00\x00\x00\x00"
+        b"\x04test\x05local\x00"
+        b"\x00\x0d\x80\x01"
+        b"\x00\x00\x11\x94"
+        b"\x00\x02"
+        b"\x01x"
+        b"\x00"
+        b"\x00\x0c\x00\x01"
+        b"\x00\x00\x11\x94"
+        b"\x00\x02"
+        b"\xc0\x0c"
+    )
+    parsed = r.DNSIncoming(packet)
+    answers = parsed.answers()
+    assert not any(isinstance(a, r.DNSHinfo) for a in answers)
+    ptrs = [a for a in answers if isinstance(a, r.DNSPointer)]
+    assert len(ptrs) == 1
+    assert ptrs[0].alias == "test.local."
+
+
 def test_records_same_packet_share_fate():
     """Test records in the same packet all have the same created time."""
     out = r.DNSOutgoing(const._FLAGS_QR_QUERY | const._FLAGS_AA)
diff --git a/tests/test_services.py b/tests/test_services.py
@@ -33,7 +33,7 @@ def teardown_module():
 
 
 class ListenerTest(unittest.TestCase):
-    @pytest.mark.usefixtures("quick_timing")
+    @pytest.mark.usefixtures("quick_timing", "quick_request_timing")
     def test_integration_with_listener_class(self):
         sub_service_added = Event()
         service_added = Event()
diff --git a/tests/utils/test_asyncio.py b/tests/utils/test_asyncio.py
@@ -86,18 +86,22 @@ async def _still_running():
         await asyncio.sleep(5)
 
     def _run_coro() -> None:
-        runcoro_thread_ready.set()
         assert loop is not None
+        future = asyncio.run_coroutine_threadsafe(_still_running(), loop)
+        runcoro_thread_ready.set()
         with contextlib.suppress(concurrent.futures.TimeoutError):
-            asyncio.run_coroutine_threadsafe(_still_running(), loop).result(1)
+            future.result(0.1)
 
     runcoro_thread = threading.Thread(target=_run_coro, daemon=True)
     runcoro_thread.start()
     runcoro_thread_ready.wait()
 
-    time.sleep(0.1)
     assert loop is not None
-    aioutils.shutdown_loop(loop)
+    # Patch _TASK_AWAIT_TIMEOUT so the inner `asyncio.wait` returns
+    # within 50ms instead of blocking the full 1s on the deliberately
+    # never-completing _still_running() task.
+    with patch.object(aioutils, "_TASK_AWAIT_TIMEOUT", 0.05):
+        aioutils.shutdown_loop(loop)
     for _ in range(5):
         if not loop.is_running():
             break
