Merge branch 'master' into fix/seen-logs-unbounded-retention

bdraco · web-flow · commit d3598be01759 · 2026-05-17T20:01:41.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,37 @@
 
 <!-- version list -->
 
+## v0.149.5 (2026-05-18)
+
+### Bug Fixes
+
+- Bound DNS compression-pointer chain depth in DNSIncoming
+  ([#1719](https://github.com/python-zeroconf/python-zeroconf/pull/1719),
+  [`f9e2359`](https://github.com/python-zeroconf/python-zeroconf/commit/f9e23592137f30fdf7ef710dba065da31c79b1cf))
+
+### Testing
+
+- Cap helper get_service_info timeout in suppression test (~3.0s → ~1.85s)
+  ([#1708](https://github.com/python-zeroconf/python-zeroconf/pull/1708),
+  [`ee3c7d7`](https://github.com/python-zeroconf/python-zeroconf/commit/ee3c7d74ff45327a3a6d520b86a691e21e2bc219))
+
+- Drop ZeroconfServiceTypes.find() timeouts from 500ms to 200ms on loopback
+  ([#1710](https://github.com/python-zeroconf/python-zeroconf/pull/1710),
+  [`64d143d`](https://github.com/python-zeroconf/python-zeroconf/commit/64d143d2ee7874ee1d9cef0dd2799c008b4aa791))
+
+- Eliminate test_get_info_single race by injecting from the send mock
+  ([#1716](https://github.com/python-zeroconf/python-zeroconf/pull/1716),
+  [`963d3d7`](https://github.com/python-zeroconf/python-zeroconf/commit/963d3d70e1cde056967eba0d8747ddcd247ae707))
+
+- Fix race in test_register_and_lookup_type_by_uppercase_name
+  ([#1712](https://github.com/python-zeroconf/python-zeroconf/pull/1712),
+  [`91aa21d`](https://github.com/python-zeroconf/python-zeroconf/commit/91aa21d52a0873f5fc12d43675b1b521dfe20519))
+
+- Speed up service-info request tests with quick_request_timing fixture
+  ([#1709](https://github.com/python-zeroconf/python-zeroconf/pull/1709),
+  [`4bae30a`](https://github.com/python-zeroconf/python-zeroconf/commit/4bae30a2ed0910ee7c4f1d0f92f2c400a7b10f31))
+
+
 ## v0.149.4 (2026-05-17)
 
 ### Bug Fixes
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api"
 
 [project]
 name = "zeroconf"
-version = "0.149.4"
+version = "0.149.5"
 license = "LGPL-2.1-or-later"
 description = "A pure python implementation of multicast DNS service discovery"
 readme = "README.rst"
diff --git a/src/zeroconf/__init__.py b/src/zeroconf/__init__.py
@@ -88,7 +88,7 @@
 
 __author__ = "Paul Scott-Murphy, William McBrine"
 __maintainer__ = "Jakub Stasiak <jakub@stasiak.at>"
-__version__ = "0.149.4"
+__version__ = "0.149.5"
 __license__ = "LGPL"
 
 
diff --git a/src/zeroconf/_protocol/incoming.pxd b/src/zeroconf/_protocol/incoming.pxd
@@ -83,7 +83,7 @@ cdef class DNSIncoming:
         link_py_int=object,
         linked_labels=cython.list
     )
-    cdef unsigned int _decode_labels_at_offset(self, unsigned int off, cython.list labels, cython.set seen_pointers)
+    cdef unsigned int _decode_labels_at_offset(self, unsigned int off, cython.list labels, cython.set seen_pointers, unsigned int depth)
 
     @cython.locals(offset="unsigned int")
     cdef void _read_header(self)
diff --git a/src/zeroconf/_protocol/incoming.py b/src/zeroconf/_protocol/incoming.py
@@ -60,7 +60,7 @@
 MAX_DNS_LABELS = 128
 MAX_NAME_LENGTH = 253
 
-DECODE_EXCEPTIONS = (IndexError, struct.error, IncomingDecodeError)
+DECODE_EXCEPTIONS = (IndexError, struct.error, IncomingDecodeError, RecursionError)
 
 
 _seen_logs: dict[str, None] = {}
@@ -403,7 +403,7 @@ def _read_name(self) -> str:
         labels: list[str] = []
         seen_pointers: set[int] = set()
         original_offset = self.offset
-        self.offset = self._decode_labels_at_offset(original_offset, labels, seen_pointers)
+        self.offset = self._decode_labels_at_offset(original_offset, labels, seen_pointers, 0)
         self._name_cache[original_offset] = labels
         name = ".".join(labels) + "."
         if len(name) > MAX_NAME_LENGTH:
@@ -412,8 +412,14 @@ def _read_name(self) -> str:
             )
         return name
 
-    def _decode_labels_at_offset(self, off: _int, labels: list[str], seen_pointers: set[int]) -> int:
+    def _decode_labels_at_offset(
+        self, off: _int, labels: list[str], seen_pointers: set[int], depth: _int
+    ) -> int:
         # This is a tight loop that is called frequently, small optimizations can make a difference.
+        if depth > MAX_DNS_LABELS:
+            raise IncomingDecodeError(
+                f"DNS compression pointer chain exceeds {MAX_DNS_LABELS} at {off} from {self.source}"
+            )
         view = self.view
         while off < self._data_len:
             length = view[off]
@@ -451,7 +457,7 @@ def _decode_labels_at_offset(self, off: _int, labels: list[str], seen_pointers:
             if not linked_labels:
                 linked_labels = []
                 seen_pointers.add(link_py_int)
-                self._decode_labels_at_offset(link, linked_labels, seen_pointers)
+                self._decode_labels_at_offset(link, linked_labels, seen_pointers, depth + 1)
                 self._name_cache[link_py_int] = linked_labels
             labels.extend(linked_labels)
             if len(labels) > MAX_DNS_LABELS:
diff --git a/tests/test_protocol.py b/tests/test_protocol.py
@@ -1035,6 +1035,28 @@ def test_label_compression_attack():
     assert len(parsed.answers()) == 1
 
 
+def test_dns_compression_pointer_chain_depth_attack() -> None:
+    """Test our wire parser rejects deeply chained compression pointers without recursing."""
+    # Build a packet with one question whose name is a 1500-deep chain of forward
+    # compression pointers, ending in a root label. Each pointer is 2 bytes,
+    # so chain length easily exceeds CPython's default recursion limit.
+    header = b"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
+    # Question at offset 12: pointer to offset 18 (past the question's type/class).
+    question_name = bytes([0xC0, 18])
+    question_type_class = b"\x00\x01\x00\x01"
+    chain_depth = 1500
+    chain = bytearray()
+    for i in range(chain_depth):
+        target = 18 + 2 * (i + 1)
+        chain.append(0xC0 | (target >> 8))
+        chain.append(target & 0xFF)
+    chain.append(0x00)
+    packet = header + question_name + question_type_class + bytes(chain)
+    parsed = r.DNSIncoming(packet, ("1.2.3.4", 5353))
+    assert parsed.valid is False
+    assert parsed.questions == []
+
+
 def test_dns_compression_loop_attack():
     """Test our wire parser does not loop forever when dns compression is in a loop."""
     packet = (

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ cdef class DNSIncoming:`
`83`	`83`	`link_py_int=object,`
`84`	`84`	`linked_labels=cython.list`
`85`	`85`	`)`
`86`		`- cdef unsigned int _decode_labels_at_offset(self, unsigned int off, cython.list labels, cython.set seen_pointers)`
	`86`	`+ cdef unsigned int _decode_labels_at_offset(self, unsigned int off, cython.list labels, cython.set seen_pointers, unsigned int depth)`
`87`	`87`
`88`	`88`	`@cython.locals(offset="unsigned int")`
`89`	`89`	`cdef void _read_header(self)`