fix: bound TC-deferred queues against spoofed-source flood OOM

bdraco · bdraco · commit e2ee4dc68c15 · 2026-05-20T08:50:51.000-05:00
`AsyncListener.handle_query_or_defer` retains every truncated query in
`self._deferred[addr]` and arms a per-addr timer that flushes within
~500ms. Neither the per-addr list nor the number of distinct addr keys
was capped, so a LAN peer streaming byte-distinct TC-flagged queries —
trivially amplified by spoofing source IPs — could grow `_deferred`
and `_timers` until the process OOMs.

Add two caps and an LRU-style eviction:

- `_MAX_DEFERRED_PER_ADDR = 16` bounds the per-addr queue. RFC 6762
  §18.5 anticipates only a handful of segments per truncated query.
  The existing O(N) dedup scan now runs over a constant-bounded list.
- `_MAX_DEFERRED_ADDRS = 512` bounds the total distinct addrs with
  in-flight state. The cap leaves headroom for a legitimate burst
  (a LAN-wide power-resume / boot storm where many devices announce
  at once) while bounding worst-case memory at ~72 MB. When a new
  addr would exceed the cap, the oldest (insertion-order) entry is
  evicted: its timer is cancelled and its queue is discarded so the
  bound holds even when an attacker rotates source IPs faster than
  the reassembly timer can drain entries.

Both constants are cdef'd in `_listener.pxd` so the bound checks
compile to direct C integer compares.
diff --git a/src/zeroconf/_listener.pxd b/src/zeroconf/_listener.pxd
@@ -15,6 +15,8 @@ cdef bint TYPE_CHECKING
 cdef cython.uint _MAX_MSG_ABSOLUTE
 cdef cython.uint _DUPLICATE_PACKET_SUPPRESSION_INTERVAL
 cdef cython.uint _RECENT_PACKETS_MAX
+cdef cython.uint _MAX_DEFERRED_ADDRS
+cdef cython.uint _MAX_DEFERRED_PER_ADDR
 
 
 cdef class AsyncListener:
@@ -41,6 +43,8 @@ cdef class AsyncListener:
 
     cdef _cancel_any_timers_for_addr(self, object addr)
 
+    cdef _evict_oldest_deferred(self)
+
     @cython.locals(deadline=object, fire_at=double)
     cdef double _compute_deferred_fire_at(self, object addr, double now, double delay)
 
diff --git a/src/zeroconf/_listener.py b/src/zeroconf/_listener.py
@@ -32,7 +32,13 @@
 from ._protocol.incoming import DNSIncoming
 from ._transport import _WrappedTransport, make_wrapped_transport
 from ._utils.time import current_time_millis, millis_to_seconds
-from .const import _DUPLICATE_PACKET_SUPPRESSION_INTERVAL, _MAX_MSG_ABSOLUTE, _RECENT_PACKETS_MAX
+from .const import (
+    _DUPLICATE_PACKET_SUPPRESSION_INTERVAL,
+    _MAX_DEFERRED_ADDRS,
+    _MAX_DEFERRED_PER_ADDR,
+    _MAX_MSG_ABSOLUTE,
+    _RECENT_PACKETS_MAX,
+)
 
 if TYPE_CHECKING:
     from ._core import Zeroconf
@@ -240,7 +246,17 @@ def handle_query_or_defer(
             self._respond_query(msg, addr, port, transport, v6_flow_scope)
             return
 
+        if addr not in self._deferred and len(self._deferred) >= _MAX_DEFERRED_ADDRS:
+            # Bound total deferred addrs so a spoofed-source flood
+            # cannot keep adding distinct entries; evict the oldest
+            # (insertion-order) entry and discard its in-flight queue.
+            self._evict_oldest_deferred()
+
         deferred = self._deferred.setdefault(addr, [])
+        if len(deferred) >= _MAX_DEFERRED_PER_ADDR:
+            # Bound per-addr queue length; further fragments from the
+            # same source are dropped until the timer flushes.
+            return
         # If we get the same packet we ignore it
         for incoming in reversed(deferred):
             if incoming.data == msg.data:
@@ -293,6 +309,18 @@ def _cancel_any_timers_for_addr(self, addr: _str) -> None:
         if addr in self._timers:
             self._timers.pop(addr).cancel()
 
+    def _evict_oldest_deferred(self) -> None:
+        """Discard the oldest deferred addr's reassembly state.
+
+        Used when ``_MAX_DEFERRED_ADDRS`` would be exceeded; the
+        evicted addr's queue and timer are dropped without firing, so
+        the bound holds even when an attacker rotates source IPs.
+        """
+        oldest_addr = next(iter(self._deferred))
+        self._cancel_any_timers_for_addr(oldest_addr)
+        self._deferred_deadlines.pop(oldest_addr, None)
+        del self._deferred[oldest_addr]
+
     def _respond_query(
         self,
         msg: DNSIncoming | None,
diff --git a/src/zeroconf/const.py b/src/zeroconf/const.py
@@ -77,6 +77,20 @@
 # flooding distinct questions (RFC 6762 §7.3, defense-in-depth).
 _MAX_QUESTION_HISTORY_ENTRIES = 10000
 
+# Per-addr cap on the number of truncated (TC-bit) packets retained for
+# RFC 6762 §18.5 reassembly. The spec anticipates only a handful of
+# segments per truncated query; 16 is well above legitimate need and
+# keeps the per-arrival dedup scan a constant-time cost under a flood.
+_MAX_DEFERRED_PER_ADDR = 16
+
+# Per-listener cap on the number of distinct addrs with in-flight
+# TC-deferral state. Each entry can hold up to _MAX_DEFERRED_PER_ADDR
+# packets of up to _MAX_MSG_ABSOLUTE bytes; 512 leaves headroom for a
+# legitimate burst (LAN-wide power-resume / boot storm where many
+# devices announce at once) while bounding worst-case memory at
+# ~72 MB even when a peer floods with spoofed source IPs.
+_MAX_DEFERRED_ADDRS = 512
+
 _DNS_PACKET_HEADER_LEN = 12
 
 _MAX_MSG_TYPICAL = 1460  # unused
diff --git a/tests/test_core.py b/tests/test_core.py
@@ -794,6 +794,148 @@ def test_tc_bit_defer_window_is_bounded():
     zc.close()
 
 
+def _make_distinct_tc_packets(count: int, name_prefix: str = "q") -> list[bytes]:
+    """Generate ``count`` byte-distinct TC-flagged query packets for flood inputs."""
+    packets = []
+    for i in range(count):
+        out = r.DNSOutgoing(const._FLAGS_QR_QUERY | const._FLAGS_TC)
+        out.add_question(r.DNSQuestion(f"{name_prefix}{i}._tcp.local.", const._TYPE_PTR, const._CLASS_IN))
+        packets.append(out.packets()[0])
+    return packets
+
+
+def test_tc_bit_per_addr_queue_is_bounded():
+    """Per-addr deferred queue must not grow past ``_MAX_DEFERRED_PER_ADDR``."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    _wait_for_start(zc)
+    type_ = "_perbound._tcp.local."
+    info = r.ServiceInfo(
+        type_,
+        f"a.{type_}",
+        80,
+        0,
+        0,
+        {"path": "/~paulsm/"},
+        "ash-2.local.",
+        addresses=[socket.inet_aton("10.0.1.2")],
+    )
+    zc.registry.async_add(info)
+
+    protocol = zc.engine.protocols[0]
+    _clear_cache(zc)
+    source_ip = "203.0.113.21"
+
+    extra = 4
+    packets = _make_distinct_tc_packets(const._MAX_DEFERRED_PER_ADDR + extra)
+    for raw in packets:
+        threadsafe_query(zc, protocol, r.DNSIncoming(raw), source_ip, const._MDNS_PORT, Mock(), ())
+
+    assert len(protocol._deferred[source_ip]) == const._MAX_DEFERRED_PER_ADDR
+    # Last ``extra`` packets must have been dropped, not displaced; the
+    # earlier ``_MAX_DEFERRED_PER_ADDR`` entries are the ones retained.
+    retained = [incoming.data for incoming in protocol._deferred[source_ip]]
+    assert retained == packets[: const._MAX_DEFERRED_PER_ADDR]
+
+    zc.registry.async_remove(info)
+    zc.close()
+
+
+def _synthetic_source_ip(i: int) -> str:
+    """Distinct synthetic source IPs from the documentation ranges."""
+    if i < 256:
+        return f"203.0.113.{i}"
+    if i < 512:
+        return f"198.51.100.{i - 256}"
+    return f"192.0.2.{i - 512}"
+
+
+def test_tc_bit_total_addrs_is_bounded():
+    """Distinct addrs with deferred state must not exceed ``_MAX_DEFERRED_ADDRS``."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    _wait_for_start(zc)
+    type_ = "_addrbound._tcp.local."
+    info = r.ServiceInfo(
+        type_,
+        f"a.{type_}",
+        80,
+        0,
+        0,
+        {"path": "/~paulsm/"},
+        "ash-2.local.",
+        addresses=[socket.inet_aton("10.0.1.2")],
+    )
+    zc.registry.async_add(info)
+
+    protocol = zc.engine.protocols[0]
+    _clear_cache(zc)
+
+    raw = _make_distinct_tc_packets(1)[0]
+    extra = 4
+    addrs = [_synthetic_source_ip(i) for i in range(const._MAX_DEFERRED_ADDRS + extra)]
+
+    # Run all enqueues in a single loop pass so PyPy / slow runners
+    # cannot drain timers between calls.
+    async def run() -> None:
+        for source_ip in addrs:
+            protocol.handle_query_or_defer(r.DNSIncoming(raw), source_ip, const._MDNS_PORT, Mock(), ())
+
+    assert zc.loop is not None
+    asyncio.run_coroutine_threadsafe(run(), zc.loop).result()
+
+    assert len(protocol._deferred) == const._MAX_DEFERRED_ADDRS
+    assert len(protocol._timers) == const._MAX_DEFERRED_ADDRS
+
+    zc.registry.async_remove(info)
+    zc.close()
+
+
+def test_tc_bit_eviction_drops_oldest_addr():
+    """Adding a new addr at capacity drops the oldest insertion."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    _wait_for_start(zc)
+    type_ = "_evictoldest._tcp.local."
+    info = r.ServiceInfo(
+        type_,
+        f"a.{type_}",
+        80,
+        0,
+        0,
+        {"path": "/~paulsm/"},
+        "ash-2.local.",
+        addresses=[socket.inet_aton("10.0.1.2")],
+    )
+    zc.registry.async_add(info)
+
+    protocol = zc.engine.protocols[0]
+    _clear_cache(zc)
+
+    raw = _make_distinct_tc_packets(1)[0]
+    fillers = [_synthetic_source_ip(i) for i in range(const._MAX_DEFERRED_ADDRS)]
+    new_addr = _synthetic_source_ip(const._MAX_DEFERRED_ADDRS)
+
+    async def run_fill() -> None:
+        for source_ip in fillers:
+            protocol.handle_query_or_defer(r.DNSIncoming(raw), source_ip, const._MDNS_PORT, Mock(), ())
+
+    async def run_overflow() -> None:
+        protocol.handle_query_or_defer(r.DNSIncoming(raw), new_addr, const._MDNS_PORT, Mock(), ())
+
+    assert zc.loop is not None
+    asyncio.run_coroutine_threadsafe(run_fill(), zc.loop).result()
+    assert len(protocol._deferred) == const._MAX_DEFERRED_ADDRS
+    oldest = fillers[0]
+    assert oldest in protocol._deferred
+
+    asyncio.run_coroutine_threadsafe(run_overflow(), zc.loop).result()
+    assert oldest not in protocol._deferred
+    assert oldest not in protocol._timers
+    assert new_addr in protocol._deferred
+    assert len(protocol._deferred) == const._MAX_DEFERRED_ADDRS
+
+    zc.registry.async_remove(info)
+    zc.close()
+
+
 @pytest.mark.asyncio
 async def test_open_close_twice_from_async() -> None:
     """Test we can close twice from a coroutine when using Zeroconf.
