Fix TCP Connection Denial-Of-Service (DOS) Vulnerability.

  -- Configured a default idle time for inbound Weave TCP connections
     after which the idle connection will be destroyed.
  -- Limited the number of inbound Weave TCP connections.
  -- Limited the number of Weave TCP connections from single IP address.

This change addresses CVE security vulnerability: CVE-2019-5043

Author: emargolis

src/lib/core/WeaveConfig.h

@@ -1012,6 +1012,37 @@
 #define WEAVE_CONFIG_MAX_CONNECTIONS                        INET_CONFIG_NUM_TCP_ENDPOINTS
 #endif // WEAVE_CONFIG_MAX_CONNECTIONS
 
+/**
+ *  @def WEAVE_CONFIG_MAX_INCOMING_TCP_CONNECTIONS
+ *
+ *  @brief
+ *    Maximum number of simultaneously active inbound TCP connections.
+ *
+ *    Regardless of what #WEAVE_CONFIG_MAX_INCOMING_TCP_CONNECTIONS
+ *    is set to, the total number of inbound connections cannot exceed
+ *    #WEAVE_CONFIG_MAX_CONNECTIONS, which is the overall limit for
+ *    inbound and outbound connections.
+ */
+#ifndef WEAVE_CONFIG_MAX_INCOMING_TCP_CONNECTIONS
+#define WEAVE_CONFIG_MAX_INCOMING_TCP_CONNECTIONS           (WEAVE_CONFIG_MAX_CONNECTIONS * 4 / 5)
+#endif // WEAVE_CONFIG_MAX_INCOMING_TCP_CONNECTIONS
+
+/**
+ *  @def WEAVE_CONFIG_MAX_INCOMING_TCP_CON_FROM_SINGLE_IP
+ *
+ *  @brief
+ *    Maximum number of simultaneously active inbound TCP connections
+ *    from the single IP address.
+ *
+ *    Regardless of what #WEAVE_CONFIG_MAX_INCOMING_TCP_CON_FROM_SINGLE_IP
+ *    is set to, the total number of inbound connections from a single IP
+ *    address cannot exceed #WEAVE_CONFIG_MAX_CONNECTIONS or
+ *    #WEAVE_CONFIG_MAX_INCOMING_TCP_CONNECTIONS.
+ */
+#ifndef WEAVE_CONFIG_MAX_INCOMING_TCP_CON_FROM_SINGLE_IP
+#define WEAVE_CONFIG_MAX_INCOMING_TCP_CON_FROM_SINGLE_IP    2
+#endif // WEAVE_CONFIG_MAX_INCOMING_TCP_CON_FROM_SINGLE_IP
+
 /**
  *  @def WEAVE_CONFIG_MAX_TUNNELS
  *
@@ -1836,6 +1867,18 @@
 #define WEAVE_CONFIG_SERVICE_DIR_CONNECT_TIMEOUT_MSECS      (10000)
 #endif // WEAVE_CONFIG_SERVICE_DIR_CONNECT_TIMEOUT_MSECS
 
+/**
+ *  @def WEAVE_CONFIG_DEFAULT_INCOMING_CONNECTION_IDLE_TIMEOUT
+ *
+ *  @brief
+ *    The default minimum amount of time, in milliseconds, that an inbound idle
+ *    connection will be allowed to exist before being destroyed.
+ *
+ */
+#ifndef WEAVE_CONFIG_DEFAULT_INCOMING_CONNECTION_IDLE_TIMEOUT
+#define WEAVE_CONFIG_DEFAULT_INCOMING_CONNECTION_IDLE_TIMEOUT        15000
+#endif // WEAVE_CONFIG_DEFAULT_INCOMING_CONNECTION_IDLE_TIMEOUT
+
 /**
  *  @def WEAVE_CONFIG_MSG_COUNTER_SYNC_RESP_TIMEOUT
  *

src/lib/core/WeaveConnection.cpp

@@ -1635,6 +1635,7 @@ void WeaveConnection::Init(WeaveMessageLayer *msgLayer)
 #if WEAVE_CONFIG_ENABLE_DNS_RESOLVER
     mDNSOptions = 0;
 #endif
+    mFlags = 0;
 }
 
 // Default OnConnectionClosed handler.

src/lib/core/WeaveMessageLayer.cpp

@@ -152,7 +152,7 @@ WEAVE_ERROR WeaveMessageLayer::Init(InitContext *context)
     ExchangeMgr = NULL;
     SecurityMgr = NULL;
     IsListening = context->listenTCP || context->listenUDP;
-    IncomingConIdleTimeout = 0;
+    IncomingConIdleTimeout = WEAVE_CONFIG_DEFAULT_INCOMING_CONNECTION_IDLE_TIMEOUT;
 
     //Internal and for Debug Only; When set, Message Layer drops message and returns.
     mDropMessage = false;
@@ -773,6 +773,27 @@ WeaveConnection *WeaveMessageLayer::NewConnection()
     return NULL;
 }
 
+void WeaveMessageLayer::GetIncomingTCPConCount(const IPAddress &peerAddr, uint16_t &count, uint16_t &countFromIP)
+{
+    count = 0;
+    countFromIP = 0;
+
+    WeaveConnection *con = (WeaveConnection *) mConPool;
+    for (int i = 0; i < WEAVE_CONFIG_MAX_CONNECTIONS; i++, con++)
+    {
+        if (con->mRefCount > 0 &&
+            con->NetworkType == WeaveConnection::kNetworkType_IP &&
+            con->IsIncoming())
+        {
+            count++;
+            if (con->PeerAddr == peerAddr)
+            {
+                countFromIP++;
+            }
+        }
+    }
+}
+
 /**
  *  Create a new WeaveConnectionTunnel object from a pool.
  *
@@ -1631,6 +1652,9 @@ void WeaveMessageLayer::HandleIncomingBleConnection(BLEEndPoint *bleEP)
     // Set the default idle timeout.
     con->SetIdleTimeout(msgLayer->IncomingConIdleTimeout);
 
+    // Set incoming connection flag.
+    con->SetIncoming(true);
+
     // If the exchange manager has been initialized, call its callback.
     if (msgLayer->ExchangeMgr != NULL)
         msgLayer->ExchangeMgr->HandleConnectionReceived(con);
@@ -1646,6 +1670,8 @@ void WeaveMessageLayer::HandleIncomingTcpConnection(TCPEndPoint *listeningEP, TC
     INET_ERROR err;
     IPAddress localAddr;
     uint16_t localPort;
+    uint16_t incomingTCPConCount;
+    uint16_t incomingTCPConCountFromIP;
     WeaveMessageLayer *msgLayer = (WeaveMessageLayer *) listeningEP->AppState;
 
     // Immediately close the connection if there's no callback registered.
@@ -1657,6 +1683,17 @@ void WeaveMessageLayer::HandleIncomingTcpConnection(TCPEndPoint *listeningEP, TC
         return;
     }
 
+    // Fail if too many incoming TCP connections.
+    msgLayer->GetIncomingTCPConCount(peerAddr, incomingTCPConCount, incomingTCPConCountFromIP);
+    if (incomingTCPConCount == WEAVE_CONFIG_MAX_INCOMING_TCP_CONNECTIONS ||
+        incomingTCPConCountFromIP == WEAVE_CONFIG_MAX_INCOMING_TCP_CON_FROM_SINGLE_IP)
+    {
+        conEP->Free();
+        if (msgLayer->OnAcceptError != NULL)
+            msgLayer->OnAcceptError(msgLayer, WEAVE_ERROR_TOO_MANY_CONNECTIONS);
+        return;
+    }
+
     // Attempt to allocate a connection object. Fail if too many connections.
     WeaveConnection *con = msgLayer->NewConnection();
     if (con == NULL)
@@ -1691,6 +1728,9 @@ void WeaveMessageLayer::HandleIncomingTcpConnection(TCPEndPoint *listeningEP, TC
     // Set the default idle timeout.
     con->SetIdleTimeout(msgLayer->IncomingConIdleTimeout);
 
+    // Set incoming connection flag.
+    con->SetIncoming(true);
+
     // If the exchange manager has been initialized, call its callback.
     if (msgLayer->ExchangeMgr != NULL)
         msgLayer->ExchangeMgr->HandleConnectionReceived(con);

src/lib/core/WeaveMessageLayer.h

@@ -364,6 +364,9 @@ class WeaveConnection
     typedef void (*ReceiveErrorFunct)(WeaveConnection *con, WEAVE_ERROR err);
     ReceiveErrorFunct OnReceiveError;
 
+    bool IsIncoming(void) const { return GetFlag(mFlags, kFlag_IsIncoming); }
+    void SetIncoming(bool val)  { SetFlag(mFlags, kFlag_IsIncoming, val); }
+
 private:
     enum
     {
@@ -381,6 +384,13 @@ class WeaveConnection
     uint8_t mDNSOptions;
 #endif
 
+    enum FlagsEnum
+    {
+        kFlag_IsIncoming              = 0x01,           /**< The connection was initiated by external node. */
+    };
+
+    uint8_t mFlags;                                     /**< Various flags associated with the connection. */
+
     void Init(WeaveMessageLayer *msgLayer);
     void MakeConnectedTcp(TCPEndPoint *endPoint, const IPAddress &localAddr, const IPAddress &peerAddr);
     WEAVE_ERROR StartConnect(void);
@@ -734,6 +744,7 @@ class NL_DLL_EXPORT WeaveMessageLayer
             uint16_t maxLen);
     WEAVE_ERROR DecodeMessageWithLength(PacketBuffer *msgBuf, uint64_t sourceNodeId, WeaveConnection *con,
             WeaveMessageInfo *msgInfo, uint8_t **rPayload, uint16_t *rPayloadLen, uint32_t *rFrameLen);
+    void GetIncomingTCPConCount(const IPAddress &peerAddr, uint16_t &count, uint16_t &countFromIP);
 
     static void HandleUDPMessage(UDPEndPoint *endPoint, PacketBuffer *msg, const IPPacketInfo *pktInfo);
     static void HandleUDPReceiveError(UDPEndPoint *endPoint, INET_ERROR err, const IPPacketInfo *pktInfo);