fix: bound duplicate-packet dedup against alternating-payload floods

bluetoothbot · bluetoothbot · commit 95696548f4b7 · 2026-05-20T03:21:11.000Z
Replace the single-slot remembered "last packet" with a bounded recency
window (16 most-recent payloads) keyed on the payload bytes, per
listener (per-interface). An attacker alternating between two
byte-distinct payloads previously slipped past dedup on every packet
because each one differed from the immediately-preceding payload,
forcing every datagram through DNSIncoming parse and the deferred
queue.

Per-listener state means a duplicate seen on one interface does not
suppress a legitimate QU / unicast reply that arrives on another.

Fix the existing disable_duplicate_packet_suppression fixture to also
patch _listener — the previous patch only touched const, so the
interval rebound at _listener module scope was never overridden; the
fixture worked by accident when the alternating-bypass kicked in.
diff --git a/src/zeroconf/_listener.pxd b/src/zeroconf/_listener.pxd
@@ -14,6 +14,7 @@ cdef bint TYPE_CHECKING
 
 cdef cython.uint _MAX_MSG_ABSOLUTE
 cdef cython.uint _DUPLICATE_PACKET_SUPPRESSION_INTERVAL
+cdef cython.uint _RECENT_PACKETS_MAX
 
 
 cdef class AsyncListener:
@@ -22,18 +23,16 @@ cdef class AsyncListener:
     cdef ServiceRegistry _registry
     cdef RecordManager _record_manager
     cdef QueryHandler _query_handler
-    cdef public cython.bytes data
-    cdef public double last_time
-    cdef public DNSIncoming last_message
     cdef public object transport
     cdef public object sock_description
     cdef public cython.dict _deferred
     cdef public cython.dict _timers
+    cdef public cython.dict _recent_packets
 
     @cython.locals(now=double, debug=cython.bint)
     cpdef datagram_received(self, cython.bytes bytes, cython.tuple addrs)
 
-    @cython.locals(msg=DNSIncoming)
+    @cython.locals(msg=DNSIncoming, recent_packets=cython.dict, recent=cython.tuple)
     cpdef _process_datagram_at_time(self, bint debug, cython.uint data_len, double now, bytes data, cython.tuple addrs)
 
     cdef _cancel_any_timers_for_addr(self, object addr)
diff --git a/src/zeroconf/_listener.py b/src/zeroconf/_listener.py
@@ -39,6 +39,12 @@
 
 _TC_DELAY_RANDOM_INTERVAL = (400, 500)
 
+# Bounded recency window so an alternating (A, B, A, B, ...) flood can't
+# slip past single-slot dedup. State lives on the listener (one per
+# interface) so a duplicate seen on one interface does not suppress a
+# legitimate QU / unicast reply that arrives on a different interface.
+_RECENT_PACKETS_MAX = 16
+
 
 _bytes = bytes
 _str = str
@@ -59,12 +65,10 @@ class AsyncListener:
     __slots__ = (
         "_deferred",
         "_query_handler",
+        "_recent_packets",
         "_record_manager",
         "_registry",
         "_timers",
-        "data",
-        "last_message",
-        "last_time",
         "sock_description",
         "transport",
         "zc",
@@ -75,13 +79,13 @@ def __init__(self, zc: Zeroconf) -> None:
         self._registry = zc.registry
         self._record_manager = zc.record_manager
         self._query_handler = zc.query_handler
-        self.data: bytes | None = None
-        self.last_time: float = 0
-        self.last_message: DNSIncoming | None = None
         self.transport: _WrappedTransport | None = None
         self.sock_description: str | None = None
         self._deferred: dict[str, list[DNSIncoming]] = {}
         self._timers: dict[str, asyncio.TimerHandle] = {}
+        # data -> (arrival_time_ms, has_qu_question). Relies on dict
+        # insertion order so the oldest entry is evicted first.
+        self._recent_packets: dict[bytes, tuple[float, bool]] = {}
         super().__init__()
 
     def datagram_received(self, data: _bytes, addrs: tuple[str, int] | tuple[str, int, int, int]) -> None:
@@ -110,11 +114,12 @@ def _process_datagram_at_time(
         data: _bytes,
         addrs: tuple[str, int] | tuple[str, int, int, int],
     ) -> None:
+        recent_packets = self._recent_packets
+        recent = recent_packets.get(data)
         if (
-            self.data == data
-            and (now - _DUPLICATE_PACKET_SUPPRESSION_INTERVAL) < self.last_time
-            and self.last_message is not None
-            and not self.last_message.has_qu_question()
+            recent is not None
+            and (now - _DUPLICATE_PACKET_SUPPRESSION_INTERVAL) < recent[0]
+            and not recent[1]
         ):
             # Guard against duplicate packets
             if debug:
@@ -145,9 +150,13 @@ def _process_datagram_at_time(
             addr_port = (addr, port)
 
         msg = DNSIncoming(data, addr_port, scope, now)
-        self.data = data
-        self.last_time = now
-        self.last_message = msg
+        # Move-to-end so a repeat payload refreshes its position and only
+        # cold entries are evicted when the window is full.
+        if data in recent_packets:
+            del recent_packets[data]
+        elif len(recent_packets) >= _RECENT_PACKETS_MAX:
+            del recent_packets[next(iter(recent_packets))]
+        recent_packets[data] = (now, msg.has_qu_question())
         if msg.valid is True:
             if debug:
                 log.debug(
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -8,7 +8,7 @@
 
 import pytest
 
-from zeroconf import _core, const
+from zeroconf import _core, _listener, const
 from zeroconf._handlers import query_handler
 from zeroconf._services import browser as service_browser
 from zeroconf._services import info as service_info
@@ -36,12 +36,13 @@ def run_isolated():
 
 @pytest.fixture
 def disable_duplicate_packet_suppression():
-    """Disable duplicate packet suppress.
-
-    Some tests run too slowly because of the duplicate
-    packet suppression.
-    """
-    with patch.object(const, "_DUPLICATE_PACKET_SUPPRESSION_INTERVAL", 0):
+    """Disable duplicate packet suppression."""
+    # _listener rebinds the interval at module scope, so const-only
+    # patching does not reach the hot path.
+    with (
+        patch.object(const, "_DUPLICATE_PACKET_SUPPRESSION_INTERVAL", 0),
+        patch.object(_listener, "_DUPLICATE_PACKET_SUPPRESSION_INTERVAL", 0),
+    ):
         yield
 
 
diff --git a/tests/test_asyncio.py b/tests/test_asyncio.py
@@ -901,7 +901,7 @@ async def test_async_unregister_all_services(quick_timing: None) -> None:
 
 
 @pytest.mark.asyncio
-async def test_async_zeroconf_service_types(quick_timing: None) -> None:
+async def test_async_zeroconf_service_types(quick_timing: None, disable_duplicate_packet_suppression) -> None:
     type_ = "_test-srvc-type._tcp.local."
     name = "xxxyyy"
     registration_name = f"{name}.{type_}"
diff --git a/tests/test_handlers.py b/tests/test_handlers.py
@@ -190,7 +190,7 @@ def test_name_conflicts(self):
             zc.register_service(conflicting_info)
         zc.close()
 
-    @pytest.mark.usefixtures("quick_timing")
+    @pytest.mark.usefixtures("quick_timing", "disable_duplicate_packet_suppression")
     def test_register_and_lookup_type_by_uppercase_name(self):
         # instantiate a zeroconf instance
         zc = Zeroconf(interfaces=["127.0.0.1"])
@@ -1758,7 +1758,7 @@ async def test_response_aggregation_timings_multiple(run_isolated, disable_dupli
     with patch.object(aiozc.zeroconf, "async_send") as send_mock:
         send_mock.reset_mock()
         protocol.datagram_received(query2.packets()[0], ("127.0.0.1", const._MDNS_PORT))
-        protocol.last_time = 0  # manually reset the last time to avoid duplicate packet suppression
+        protocol._recent_packets.clear()  # manually reset to avoid duplicate packet suppression
         await asyncio.sleep(0.2)
         calls = send_mock.mock_calls
         assert len(calls) == 1
@@ -1769,7 +1769,7 @@ async def test_response_aggregation_timings_multiple(run_isolated, disable_dupli
 
         send_mock.reset_mock()
         protocol.datagram_received(query2.packets()[0], ("127.0.0.1", const._MDNS_PORT))
-        protocol.last_time = 0  # manually reset the last time to avoid duplicate packet suppression
+        protocol._recent_packets.clear()  # manually reset to avoid duplicate packet suppression
         await asyncio.sleep(1.2)
         calls = send_mock.mock_calls
         assert len(calls) == 1
@@ -1780,9 +1780,9 @@ async def test_response_aggregation_timings_multiple(run_isolated, disable_dupli
 
         send_mock.reset_mock()
         protocol.datagram_received(query2.packets()[0], ("127.0.0.1", const._MDNS_PORT))
-        protocol.last_time = 0  # manually reset the last time to avoid duplicate packet suppression
+        protocol._recent_packets.clear()  # manually reset to avoid duplicate packet suppression
         protocol.datagram_received(query2.packets()[0], ("127.0.0.1", const._MDNS_PORT))
-        protocol.last_time = 0  # manually reset the last time to avoid duplicate packet suppression
+        protocol._recent_packets.clear()  # manually reset to avoid duplicate packet suppression
         # The minimum protected send_after is 1000ms + 20ms random; sleep
         # well under that so coarse timers on slow runners cannot push the
         # send into this window and flake the assertion.
diff --git a/tests/test_listener.py b/tests/test_listener.py
@@ -222,15 +222,16 @@ def handle_query_or_defer(
         _handle_query_or_defer.assert_called_once()
         _handle_query_or_defer.reset_mock()
 
-        # Now call with the different packet and handle_query_or_defer should fire
+        # Replay the first packet — the recency window remembers more than
+        # just the most recent payload, so this is a duplicate.
         listener._process_datagram_at_time(
             False,
             len(packet_with_qm_question),
             new_time,
             packet_with_qm_question,
             addrs,
         )
-        _handle_query_or_defer.assert_called_once()
+        _handle_query_or_defer.assert_not_called()
         _handle_query_or_defer.reset_mock()
 
         # Now call with the different packet with qu question and handle_query_or_defer should fire
@@ -257,18 +258,8 @@ def handle_query_or_defer(
 
         log.setLevel(logging.WARNING)
 
-        # Call with the QM packet again
-        listener._process_datagram_at_time(
-            False,
-            len(packet_with_qm_question),
-            new_time,
-            packet_with_qm_question,
-            addrs,
-        )
-        _handle_query_or_defer.assert_called_once()
-        _handle_query_or_defer.reset_mock()
-
-        # Now call with the same packet again and handle_query_or_defer should not fire
+        # Replay the QM packet with debug disabled — suppression must hold
+        # off the debug-log path too.
         listener._process_datagram_at_time(
             False,
             len(packet_with_qm_question),
@@ -285,3 +276,110 @@ def handle_query_or_defer(
         _handle_query_or_defer.reset_mock()
 
     zc.close()
+
+
+def test_guard_against_alternating_duplicate_packets():
+    """Alternating two distinct payloads must not bypass duplicate suppression."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    zc.registry.async_add(
+        ServiceInfo(
+            "_http._tcp.local.",
+            "Test._http._tcp.local.",
+            server="Test._http._tcp.local.",
+            port=4,
+        )
+    )
+    zc.question_history = QuestionHistoryWithoutSuppression()
+
+    class SubListener(_listener.AsyncListener):
+        def handle_query_or_defer(
+            self,
+            msg: DNSIncoming,
+            addr: str,
+            port: int,
+            transport: _engine._WrappedTransport,
+            v6_flow_scope: tuple[()] | tuple[int, int] = (),
+        ) -> None:
+            super().handle_query_or_defer(msg, addr, port, transport, v6_flow_scope)
+
+    listener = SubListener(zc)
+    listener.transport = MagicMock()
+
+    query_a = r.DNSOutgoing(const._FLAGS_QR_QUERY, multicast=True)
+    query_a.add_question(r.DNSQuestion("a._http._tcp.local.", const._TYPE_PTR, const._CLASS_IN))
+    packet_a = query_a.packets()[0]
+
+    query_b = r.DNSOutgoing(const._FLAGS_QR_QUERY, multicast=True)
+    query_b.add_question(r.DNSQuestion("b._http._tcp.local.", const._TYPE_PTR, const._CLASS_IN))
+    packet_b = query_b.packets()[0]
+
+    assert packet_a != packet_b
+
+    addrs = ("1.2.3.4", 43)
+
+    with patch.object(listener, "handle_query_or_defer") as _handle_query_or_defer:
+        now = current_time_millis()
+
+        # Prime both payloads.
+        listener._process_datagram_at_time(False, len(packet_a), now, packet_a, addrs)
+        listener._process_datagram_at_time(False, len(packet_b), now, packet_b, addrs)
+        assert _handle_query_or_defer.call_count == 2
+        _handle_query_or_defer.reset_mock()
+
+        for _ in range(4):
+            listener._process_datagram_at_time(False, len(packet_a), now, packet_a, addrs)
+            listener._process_datagram_at_time(False, len(packet_b), now, packet_b, addrs)
+        _handle_query_or_defer.assert_not_called()
+
+    zc.close()
+
+
+def test_recent_packets_window_is_bounded():
+    """Distinct payloads beyond the recency window evict oldest entries."""
+    zc = Zeroconf(interfaces=["127.0.0.1"])
+    zc.registry.async_add(
+        ServiceInfo(
+            "_http._tcp.local.",
+            "Test._http._tcp.local.",
+            server="Test._http._tcp.local.",
+            port=4,
+        )
+    )
+    zc.question_history = QuestionHistoryWithoutSuppression()
+
+    class SubListener(_listener.AsyncListener):
+        def handle_query_or_defer(
+            self,
+            msg: DNSIncoming,
+            addr: str,
+            port: int,
+            transport: _engine._WrappedTransport,
+            v6_flow_scope: tuple[()] | tuple[int, int] = (),
+        ) -> None:
+            super().handle_query_or_defer(msg, addr, port, transport, v6_flow_scope)
+
+    listener = SubListener(zc)
+    listener.transport = MagicMock()
+
+    addrs = ("1.2.3.4", 43)
+    now = current_time_millis()
+
+    packets = []
+    for i in range(_listener._RECENT_PACKETS_MAX + 4):
+        query = r.DNSOutgoing(const._FLAGS_QR_QUERY, multicast=True)
+        query.add_question(r.DNSQuestion(f"n{i}._http._tcp.local.", const._TYPE_PTR, const._CLASS_IN))
+        packets.append(query.packets()[0])
+
+    with patch.object(listener, "handle_query_or_defer") as _handle_query_or_defer:
+        for packet in packets:
+            listener._process_datagram_at_time(False, len(packet), now, packet, addrs)
+        assert _handle_query_or_defer.call_count == len(packets)
+        _handle_query_or_defer.reset_mock()
+
+        # The oldest packets should have been evicted and now replay.
+        evicted = packets[: len(packets) - _listener._RECENT_PACKETS_MAX]
+        for packet in evicted:
+            listener._process_datagram_at_time(False, len(packet), now, packet, addrs)
+        assert _handle_query_or_defer.call_count == len(evicted)
+
+    zc.close()
