Clear PacketBuffer Content When Freed.

  -- Added new PacketBuffer::Clear() method to wipe the contents
     of buffers as they are returned to the pool.

  -- Also eliminated the integer overflow vulnerability by increasing
     the size (to uint32_t) of the rFrameLen parameter to the
     WeaveMessageLayer::DecodeMessageWithLength() method.

This change addresses CVE security vulnerability: CVE-2019-5040

Author: emargolis

src/lib/core/WeaveConnection.cpp

@@ -1394,7 +1394,7 @@ void WeaveConnection::HandleDataReceived(TCPEndPoint *endPoint, PacketBuffer *da
         uint8_t*            payload;
         uint16_t            payloadLen;
         PacketBuffer*       payloadBuf = NULL;
-        uint16_t            frameLen;
+        uint32_t            frameLen;
 
         packetInfo.Clear();
         con->GetPeerAddressInfo(packetInfo);
@@ -1808,7 +1808,7 @@ void WeaveConnection::HandleBleMessageReceived(BLEEndPoint *endPoint, PacketBuff
     uint8_t *payload;
     uint16_t payloadLen;
     PacketBuffer *payloadBuf;
-    uint16_t frameLen;
+    uint32_t frameLen;
     WEAVE_ERROR err;
 
     // Initialize the message info structure.

src/lib/core/WeaveMessageLayer.cpp

@@ -1410,7 +1410,7 @@ WEAVE_ERROR WeaveMessageLayer::EncodeMessageWithLength(WeaveMessageInfo *msgInfo
 }
 
 WEAVE_ERROR WeaveMessageLayer::DecodeMessageWithLength(PacketBuffer *msgBuf, uint64_t sourceNodeId, WeaveConnection *con,
-        WeaveMessageInfo *msgInfo, uint8_t **rPayload, uint16_t *rPayloadLen, uint16_t *rFrameLen)
+        WeaveMessageInfo *msgInfo, uint8_t **rPayload, uint16_t *rPayloadLen, uint32_t *rFrameLen)
 {
     uint8_t *dataStart = msgBuf->Start();
     uint16_t dataLen = msgBuf->DataLength();
@@ -1426,7 +1426,7 @@ WEAVE_ERROR WeaveMessageLayer::DecodeMessageWithLength(PacketBuffer *msgBuf, uin
     uint16_t msgLen = LittleEndian::Get16(dataStart);
 
     // The frame length is the length of the message plus the length of the length field.
-    *rFrameLen = msgLen + 2;
+    *rFrameLen = static_cast<uint32_t>(msgLen) + 2;
 
     // Error if the message buffer doesn't contain the entire message, or is too
     // long to ever fit in the buffer.

src/lib/core/WeaveMessageLayer.h

@@ -733,7 +733,7 @@ class NL_DLL_EXPORT WeaveMessageLayer
     WEAVE_ERROR EncodeMessageWithLength(WeaveMessageInfo *msgInfo, PacketBuffer *msgBuf, WeaveConnection *con,
             uint16_t maxLen);
     WEAVE_ERROR DecodeMessageWithLength(PacketBuffer *msgBuf, uint64_t sourceNodeId, WeaveConnection *con,
-            WeaveMessageInfo *msgInfo, uint8_t **rPayload, uint16_t *rPayloadLen, uint16_t *rFrameLen);
+            WeaveMessageInfo *msgInfo, uint8_t **rPayload, uint16_t *rPayloadLen, uint32_t *rFrameLen);
 
     static void HandleUDPMessage(UDPEndPoint *endPoint, PacketBuffer *msg, const IPPacketInfo *pktInfo);
     static void HandleUDPReceiveError(UDPEndPoint *endPoint, INET_ERROR err, const IPPacketInfo *pktInfo);

src/system/SystemPacketBuffer.cpp

@@ -50,6 +50,7 @@
 #endif // WEAVE_SYSTEM_CONFIG_USE_LWIP
 
 #include <Weave/Support/logging/WeaveLogging.h>
+#include <Weave/Support/crypto/WeaveCrypto.h>
 #include <Weave/Support/CodeUtils.h>
 
 #include <SystemLayer/SystemStats.h>
@@ -583,6 +584,7 @@ void PacketBuffer::Free(PacketBuffer* aPacket)
         if (aPacket->ref == 0)
         {
             SYSTEM_STATS_DECREMENT(nl::Weave::System::Stats::kSystemLayer_NumPacketBufs);
+            aPacket->Clear();
 #if WEAVE_SYSTEM_CONFIG_PACKETBUFFER_MAXALLOC
             aPacket->next = sFreeList;
             sFreeList = aPacket;
@@ -602,6 +604,21 @@ void PacketBuffer::Free(PacketBuffer* aPacket)
 #endif // !WEAVE_SYSTEM_CONFIG_USE_LWIP
 }
 
+/**
+ * Clear content of the packet buffer.
+ *
+ * This method is called by Free(), before the buffer is released to the free buffer pool.
+ */
+void PacketBuffer::Clear(void)
+{
+    nl::Weave::Crypto::ClearSecretData(reinterpret_cast<uint8_t*>(this) + WEAVE_SYSTEM_PACKETBUFFER_HEADER_SIZE, this->AllocSize());
+    tot_len = 0;
+    len = 0;
+#if WEAVE_SYSTEM_CONFIG_PACKETBUFFER_MAXALLOC == 0
+    alloc_size = 0;
+#endif // WEAVE_SYSTEM_CONFIG_PACKETBUFFER_MAXALLOC == 0
+}
+
 /**
  * Free the first buffer in a chain, returning a pointer to the remaining buffers.
  `*

src/system/SystemPacketBuffer.h

@@ -139,6 +139,8 @@ class NL_DLL_EXPORT PacketBuffer : private pbuf
 
     static PacketBuffer* BuildFreeList(void);
 #endif // !WEAVE_SYSTEM_CONFIG_USE_LWIP && WEAVE_SYSTEM_CONFIG_PACKETBUFFER_MAXALLOC
+
+    void Clear(void);
 };
 
 } // namespace System
@@ -203,7 +205,8 @@ typedef union
 #endif // !WEAVE_SYSTEM_CONFIG_USE_LWIP && WEAVE_SYSTEM_CONFIG_PACKETBUFFER_MAXALLOC
 
 /**
- * Return the size of the allocation including the PacketBuffer structure and its payload data space.
+ * Return the size of the allocation including the reserved and payload data spaces but not including space
+ * allocated for the PacketBuffer structure.
  *
  *  @note    The allocation size is equal or greater than \c aAllocSize paramater to \c Create method).
  *