fix: bound TC-deferred queues against spoofed-source flood OOM

bdraco · bdraco · commit eb031b7f9876 · 2026-05-20T08:40:34.000-05:00
`AsyncListener.handle_query_or_defer` retains every truncated query in
`self._deferred[addr]` and arms a per-addr timer that flushes within
~500ms. Neither the per-addr list nor the number of distinct addr keys
was capped, so a LAN peer streaming byte-distinct TC-flagged queries —
trivially amplified by spoofing source IPs — could grow `_deferred`
and `_timers` until the process OOMs.

Add two caps and an LRU-style eviction:

- `_MAX_DEFERRED_PER_ADDR = 16` bounds the per-addr queue. RFC 6762
  §18.5 anticipates only a handful of segments per truncated query.
  The existing O(N) dedup scan now runs over a constant-bounded list.
- `_MAX_DEFERRED_ADDRS = 256` bounds the total distinct addrs with
  in-flight state. When a new addr would exceed the cap, the oldest
  (insertion-order) entry is evicted: its timer is cancelled and its
  queue is discarded so the bound holds even when an attacker rotates
  source IPs faster than the reassembly timer can drain entries.

Both constants are cdef'd in `_listener.pxd` so the bound checks
compile to direct C integer compares.
diff --git a/src/zeroconf/_listener.pxd b/src/zeroconf/_listener.pxd
@@ -15,6 +15,8 @@ cdef bint TYPE_CHECKING
 cdef cython.uint _MAX_MSG_ABSOLUTE
 cdef cython.uint _DUPLICATE_PACKET_SUPPRESSION_INTERVAL
 cdef cython.uint _RECENT_PACKETS_MAX
+cdef cython.uint _MAX_DEFERRED_ADDRS
+cdef cython.uint _MAX_DEFERRED_PER_ADDR
 
 
 cdef class AsyncListener:
@@ -41,6 +43,8 @@ cdef class AsyncListener:
 
     cdef _cancel_any_timers_for_addr(self, object addr)
 
+    cdef _evict_oldest_deferred(self)
+
     @cython.locals(deadline=object, fire_at=double)
     cdef double _compute_deferred_fire_at(self, object addr, double now, double delay)
 
diff --git a/src/zeroconf/_listener.py b/src/zeroconf/_listener.py
@@ -32,7 +32,13 @@
 from ._protocol.incoming import DNSIncoming
 from ._transport import _WrappedTransport, make_wrapped_transport
 from ._utils.time import current_time_millis, millis_to_seconds
-from .const import _DUPLICATE_PACKET_SUPPRESSION_INTERVAL, _MAX_MSG_ABSOLUTE, _RECENT_PACKETS_MAX
+from .const import (
+    _DUPLICATE_PACKET_SUPPRESSION_INTERVAL,
+    _MAX_DEFERRED_ADDRS,
+    _MAX_DEFERRED_PER_ADDR,
+    _MAX_MSG_ABSOLUTE,
+    _RECENT_PACKETS_MAX,
+)
 
 if TYPE_CHECKING:
     from ._core import Zeroconf
@@ -240,7 +246,17 @@ def handle_query_or_defer(
             self._respond_query(msg, addr, port, transport, v6_flow_scope)
             return
 
+        if addr not in self._deferred and len(self._deferred) >= _MAX_DEFERRED_ADDRS:
+            # Bound total deferred addrs so a spoofed-source flood
+            # cannot keep adding distinct entries; evict the oldest
+            # (insertion-order) entry and discard its in-flight queue.
+            self._evict_oldest_deferred()
+
         deferred = self._deferred.setdefault(addr, [])
+        if len(deferred) >= _MAX_DEFERRED_PER_ADDR:
+            # Bound per-addr queue length; further fragments from the
+            # same source are dropped until the timer flushes.
+            return
         # If we get the same packet we ignore it
         for incoming in reversed(deferred):
             if incoming.data == msg.data:
@@ -293,6 +309,18 @@ def _cancel_any_timers_for_addr(self, addr: _str) -> None:
         if addr in self._timers:
             self._timers.pop(addr).cancel()
 
+    def _evict_oldest_deferred(self) -> None:
+        """Discard the oldest deferred addr's reassembly state.
+
+        Used when ``_MAX_DEFERRED_ADDRS`` would be exceeded; the
+        evicted addr's queue and timer are dropped without firing, so
+        the bound holds even when an attacker rotates source IPs.
+        """
+        oldest_addr = next(iter(self._deferred))
+        self._cancel_any_timers_for_addr(oldest_addr)
+        self._deferred_deadlines.pop(oldest_addr, None)
+        del self._deferred[oldest_addr]
+
     def _respond_query(
         self,
         msg: DNSIncoming | None,
diff --git a/src/zeroconf/const.py b/src/zeroconf/const.py
@@ -77,6 +77,18 @@
 # flooding distinct questions (RFC 6762 §7.3, defense-in-depth).
 _MAX_QUESTION_HISTORY_ENTRIES = 10000
 
+# Per-addr cap on the number of truncated (TC-bit) packets retained for
+# RFC 6762 §18.5 reassembly. The spec anticipates only a handful of
+# segments per truncated query; 16 is well above legitimate need and
+# keeps the per-arrival dedup scan a constant-time cost under a flood.
+_MAX_DEFERRED_PER_ADDR = 16
+
+# Per-listener cap on the number of distinct addrs with in-flight
+# TC-deferral state. Each entry can hold up to _MAX_DEFERRED_PER_ADDR
+# packets of up to _MAX_MSG_ABSOLUTE bytes, so 256 bounds worst-case
+# memory at ~36 MB even when a peer floods with spoofed source IPs.
+_MAX_DEFERRED_ADDRS = 256
+
 _DNS_PACKET_HEADER_LEN = 12
 
 _MAX_MSG_TYPICAL = 1460  # unused
diff --git a/tests/test_core.py b/tests/test_core.py
@@ -794,6 +794,128 @@ def test_tc_bit_defer_window_is_bounded():
     zc.close()
 
 
+def _make_distinct_tc_packets(count: int, name_prefix: str = "q") -> list[bytes]:
+    """Generate ``count`` byte-distinct TC-flagged query packets for flood inputs."""
+    packets = []
+    for i in range(count):
+        out = r.DNSOutgoing(const._FLAGS_QR_QUERY | const._FLAGS_TC)
+        out.add_question(r.DNSQuestion(f"{name_prefix}{i}._tcp.local.", const._TYPE_PTR, const._CLASS_IN))
+        packets.append(out.packets()[0])
+    return packets
+
+
+def test_tc_bit_per_addr_queue_is_bounded():
+    """Per-addr deferred queue must not grow past ``_MAX_DEFERRED_PER_ADDR``."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    _wait_for_start(zc)
+    type_ = "_perbound._tcp.local."
+    info = r.ServiceInfo(
+        type_,
+        f"a.{type_}",
+        80,
+        0,
+        0,
+        {"path": "/~paulsm/"},
+        "ash-2.local.",
+        addresses=[socket.inet_aton("10.0.1.2")],
+    )
+    zc.registry.async_add(info)
+
+    protocol = zc.engine.protocols[0]
+    _clear_cache(zc)
+    source_ip = "203.0.113.21"
+
+    extra = 4
+    packets = _make_distinct_tc_packets(const._MAX_DEFERRED_PER_ADDR + extra)
+    for raw in packets:
+        threadsafe_query(zc, protocol, r.DNSIncoming(raw), source_ip, const._MDNS_PORT, Mock(), ())
+
+    assert len(protocol._deferred[source_ip]) == const._MAX_DEFERRED_PER_ADDR
+    # Last ``extra`` packets must have been dropped, not displaced; the
+    # earlier ``_MAX_DEFERRED_PER_ADDR`` entries are the ones retained.
+    retained = [incoming.data for incoming in protocol._deferred[source_ip]]
+    assert retained == packets[: const._MAX_DEFERRED_PER_ADDR]
+
+    zc.registry.async_remove(info)
+    zc.close()
+
+
+def test_tc_bit_total_addrs_is_bounded():
+    """Distinct addrs with deferred state must not exceed ``_MAX_DEFERRED_ADDRS``."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    _wait_for_start(zc)
+    type_ = "_addrbound._tcp.local."
+    info = r.ServiceInfo(
+        type_,
+        f"a.{type_}",
+        80,
+        0,
+        0,
+        {"path": "/~paulsm/"},
+        "ash-2.local.",
+        addresses=[socket.inet_aton("10.0.1.2")],
+    )
+    zc.registry.async_add(info)
+
+    protocol = zc.engine.protocols[0]
+    _clear_cache(zc)
+
+    raw = _make_distinct_tc_packets(1)[0]
+    extra = 4
+    for i in range(const._MAX_DEFERRED_ADDRS + extra):
+        # Synthetic source IPs from the documentation range; each is
+        # treated as a distinct addr key.
+        source_ip = f"203.0.113.{i % 256}" if i < 256 else f"198.51.100.{i - 256}"
+        threadsafe_query(zc, protocol, r.DNSIncoming(raw), source_ip, const._MDNS_PORT, Mock(), ())
+
+    assert len(protocol._deferred) == const._MAX_DEFERRED_ADDRS
+    assert len(protocol._timers) == const._MAX_DEFERRED_ADDRS
+
+    zc.registry.async_remove(info)
+    zc.close()
+
+
+def test_tc_bit_eviction_drops_oldest_addr():
+    """Adding a new addr at capacity drops the oldest insertion."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    _wait_for_start(zc)
+    type_ = "_evictoldest._tcp.local."
+    info = r.ServiceInfo(
+        type_,
+        f"a.{type_}",
+        80,
+        0,
+        0,
+        {"path": "/~paulsm/"},
+        "ash-2.local.",
+        addresses=[socket.inet_aton("10.0.1.2")],
+    )
+    zc.registry.async_add(info)
+
+    protocol = zc.engine.protocols[0]
+    _clear_cache(zc)
+
+    raw = _make_distinct_tc_packets(1)[0]
+    # Fill the dict to exactly capacity with predictable addrs.
+    fillers = [f"203.0.113.{i // 256}.{i % 256}" for i in range(const._MAX_DEFERRED_ADDRS)]
+    for source_ip in fillers:
+        threadsafe_query(zc, protocol, r.DNSIncoming(raw), source_ip, const._MDNS_PORT, Mock(), ())
+    assert len(protocol._deferred) == const._MAX_DEFERRED_ADDRS
+    oldest = fillers[0]
+    assert oldest in protocol._deferred
+
+    # One more distinct addr should evict the oldest insertion-order entry.
+    new_addr = "198.51.100.1"
+    threadsafe_query(zc, protocol, r.DNSIncoming(raw), new_addr, const._MDNS_PORT, Mock(), ())
+    assert oldest not in protocol._deferred
+    assert oldest not in protocol._timers
+    assert new_addr in protocol._deferred
+    assert len(protocol._deferred) == const._MAX_DEFERRED_ADDRS
+
+    zc.registry.async_remove(info)
+    zc.close()
+
+
 @pytest.mark.asyncio
 async def test_open_close_twice_from_async() -> None:
     """Test we can close twice from a coroutine when using Zeroconf.
