python · zeroconfHeads-up
zeroconf: Missing length check in _read_character_string and _read_string
In zeroconf, `_read_character_string` and `_read_string` in `src/zeroconf/_protocol/incoming.
What changed
In zeroconf, `_read_character_string` and `_read_string` in `src/zeroconf/_protocol/incoming.py` did not check the declared length against the buffer size, allowing a truncated payload to be parsed and cached before a parse failure occurs.
Who it affects
All users of zeroconf prior to 0.149.16, especially those using mDNS discovery in Home Assistant or other integrations that trust decoded records.
What to do today
Upgrade to zeroconf >= 0.149.16 immediately.
The trail
Collected→
Audited→
Written→
Published