http2: limit the number of inbound frames. (envoyproxy#20)

This change adds protections against flooding using PRIORITY
and/or WINDOW_UPDATE frames, as well as frames with an empty
payload and no end stream flag.

Fixes CVE-2019-9511, CVE-2019-9513 and CVE-2019-9518.

Signed-off-by: Piotr Sikora <[email protected]>

Author: PiotrSikora

docs/root/intro/version_history.rst

@@ -83,7 +83,10 @@ Version history
   Runtime feature `envoy.reloadable_features.http2_protocol_options.stream_error_on_invalid_http_messaging` overrides :ref:`stream_error_on_invalid_http_messaging config setting <envoy_api_field_core.Http2ProtocolOptions.stream_error_on_invalid_http_messaging>`.
 1.11.1 (Pending)
 ================
-* http: added mitigation of client initiated atacks that result in flooding of the outbound queue of downstream HTTP/2 connections.
+* http: added mitigation of client initiated atacks that result in flooding of the downstream HTTP/2 connections.
+* http: added :ref:`inbound_empty_frames_flood <config_http_conn_man_stats_per_codec>` counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on consecutive inbound frames with an empty payload and no end stream flag. The limit is configured by setting the :ref:`max_consecutive_inbound_frames_with_empty_payload config setting <envoy_api_field_core.Http2ProtocolOptions.max_consecutive_inbound_frames_with_empty_payload>`.
+* http: added :ref:`inbound_priority_frames_flood <config_http_conn_man_stats_per_codec>` counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on inbound PRIORITY frames. The limit is configured by setting the :ref:`max_inbound_priority_frames_per_stream config setting <envoy_api_field_core.Http2ProtocolOptions.max_inbound_priority_frames_per_stream>`.
+* http: added :ref:`inbound_window_update_frames_flood <config_http_conn_man_stats_per_codec>` counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on inbound WINDOW_UPDATE frames. The limit is configured by setting the :ref:`max_inbound_window_update_frames_per_data_frame_sent config setting <envoy_api_field_core.Http2ProtocolOptions.max_inbound_window_update_frames_per_data_frame_sent>`.
 * http: added :ref:`outbound_flood <config_http_conn_man_stats_per_codec>` counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the outbound queue limit. The limit is configured by setting the :ref:`max_outbound_frames config setting <envoy_api_field_core.Http2ProtocolOptions.max_outbound_frames>`
 * http: added :ref:`outbound_control_flood <config_http_conn_man_stats_per_codec>` counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the outbound queue limit for PING, SETTINGS and RST_STREAM frames. The limit is configured by setting the :ref:`max_outbound_control_frames config setting <envoy_api_field_core.Http2ProtocolOptions.max_outbound_control_frames>`.
 

source/common/http/http2/codec_impl.h

@@ -369,6 +369,40 @@ class ConnectionImpl : public virtual Connection, protected Logger::Loggable<Log
   // corresponding http2_protocol_options. Default value is 1000.
   const uint32_t max_outbound_control_frames_;
   const Buffer::OwnedBufferFragmentImpl::Releasor control_frame_buffer_releasor_;
+  // This counter keeps track of the number of consecutive inbound frames of types HEADERS,
+  // CONTINUATION and DATA with an empty payload and no end stream flag. If this counter exceeds
+  // the `max_consecutive_inbound_frames_with_empty_payload_` value the connection is terminated.
+  uint32_t consecutive_inbound_frames_with_empty_payload_ = 0;
+  // Maximum number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA without
+  // a payload. Initialized from corresponding http2_protocol_options. Default value is 1.
+  const uint32_t max_consecutive_inbound_frames_with_empty_payload_;
+
+  // This counter keeps track of the number of inbound streams.
+  uint32_t inbound_streams_ = 0;
+  // This counter keeps track of the number of inbound PRIORITY frames. If this counter exceeds
+  // the value calculated using this formula:
+  //
+  //     max_inbound_priority_frames_per_stream_ * (1 + inbound_streams_)
+  //
+  // the connection is terminated.
+  uint64_t inbound_priority_frames_ = 0;
+  // Maximum number of inbound PRIORITY frames per stream. Initialized from corresponding
+  // http2_protocol_options. Default value is 100.
+  const uint32_t max_inbound_priority_frames_per_stream_;
+
+  // This counter keeps track of the number of inbound WINDOW_UPDATE frames. If this counter exceeds
+  // the value calculated using this formula:
+  //
+  //     1 + 2 * (inbound_streams_ +
+  //              max_inbound_window_update_frames_per_data_frame_sent_ * outbound_data_frames_)
+  //
+  // the connection is terminated.
+  uint64_t inbound_window_update_frames_ = 0;
+  // This counter keeps track of the number of outbound DATA frames.
+  uint64_t outbound_data_frames_ = 0;
+  // Maximum number of inbound WINDOW_UPDATE frames per outbound DATA frame sent. Initialized
+  // from corresponding http2_protocol_options. Default value is 10.
+  const uint32_t max_inbound_window_update_frames_per_data_frame_sent_;
 
 private:
   virtual ConnectionCallbacks& callbacks() PURE;

test/integration/http2_integration_test.cc

@@ -1788,4 +1788,116 @@ TEST_P(Http2FloodMitigationTest, ZerolenHeaderAllowed) {
             test_server_->counter("http.config_test.downstream_cx_delayed_close_timeout")->value());
 }
 
+TEST_P(Http2FloodMitigationTest, EmptyHeaders) {
+  config_helper_.addConfigModifier(
+      [&](envoy::config::filter::network::http_connection_manager::v2::HttpConnectionManager& hcm)
+          -> void {
+        hcm.mutable_http2_protocol_options()
+            ->mutable_max_consecutive_inbound_frames_with_empty_payload()
+            ->set_value(0);
+      });
+  beginSession();
+
+  uint32_t request_idx = 0;
+  auto request = Http2Frame::makeEmptyHeadersFrame(request_idx);
+  sendFame(request);
+
+  tcp_client_->waitForDisconnect();
+
+  EXPECT_EQ(1, test_server_->counter("http2.inbound_empty_frames_flood")->value());
+  // Verify that connection was closed abortively
+  EXPECT_EQ(0,
+            test_server_->counter("http.config_test.downstream_cx_delayed_close_timeout")->value());
+}
+
+TEST_P(Http2FloodMitigationTest, EmptyHeadersContinuation) {
+  beginSession();
+
+  uint32_t request_idx = 0;
+  auto request = Http2Frame::makeEmptyHeadersFrame(request_idx);
+  sendFame(request);
+
+  for (int i = 0; i < 2; i++) {
+    request = Http2Frame::makeEmptyContinuationFrame(request_idx);
+    sendFame(request);
+  }
+
+  tcp_client_->waitForDisconnect();
+
+  EXPECT_EQ(1, test_server_->counter("http2.inbound_empty_frames_flood")->value());
+  // Verify that connection was closed abortively
+  EXPECT_EQ(0,
+            test_server_->counter("http.config_test.downstream_cx_delayed_close_timeout")->value());
+}
+
+TEST_P(Http2FloodMitigationTest, EmptyData) {
+  beginSession();
+  fake_upstreams_[0]->set_allow_unexpected_disconnects(true);
+
+  uint32_t request_idx = 0;
+  auto request = Http2Frame::makePostRequest(request_idx, "host", "/");
+  sendFame(request);
+
+  for (int i = 0; i < 2; i++) {
+    request = Http2Frame::makeEmptyDataFrame(request_idx);
+    sendFame(request);
+  }
+
+  tcp_client_->waitForDisconnect();
+
+  EXPECT_EQ(1, test_server_->counter("http2.inbound_empty_frames_flood")->value());
+  // Verify that connection was closed abortively
+  EXPECT_EQ(0,
+            test_server_->counter("http.config_test.downstream_cx_delayed_close_timeout")->value());
+}
+
+TEST_P(Http2FloodMitigationTest, PriorityIdleStream) {
+  beginSession();
+
+  floodServer(Http2Frame::makePriorityFrame(0, 1), "http2.inbound_priority_frames_flood");
+}
+
+TEST_P(Http2FloodMitigationTest, PriorityOpenStream) {
+  beginSession();
+  fake_upstreams_[0]->set_allow_unexpected_disconnects(true);
+
+  // Open stream.
+  uint32_t request_idx = 0;
+  auto request = Http2Frame::makeRequest(request_idx, "host", "/");
+  sendFame(request);
+
+  floodServer(Http2Frame::makePriorityFrame(request_idx, request_idx + 1),
+              "http2.inbound_priority_frames_flood");
+}
+
+TEST_P(Http2FloodMitigationTest, PriorityClosedStream) {
+  autonomous_upstream_ = true;
+  beginSession();
+  fake_upstreams_[0]->set_allow_unexpected_disconnects(true);
+
+  // Open stream.
+  uint32_t request_idx = 0;
+  auto request = Http2Frame::makeRequest(request_idx, "host", "/");
+  sendFame(request);
+  // Reading response marks this stream as closed in nghttp2.
+  auto frame = readFrame();
+  EXPECT_EQ(Http2Frame::Type::HEADERS, frame.type());
+
+  floodServer(Http2Frame::makePriorityFrame(request_idx, request_idx + 1),
+              "http2.inbound_priority_frames_flood");
+}
+
+TEST_P(Http2FloodMitigationTest, WindowUpdate) {
+  beginSession();
+  fake_upstreams_[0]->set_allow_unexpected_disconnects(true);
+
+  // Open stream.
+  uint32_t request_idx = 0;
+  auto request = Http2Frame::makeRequest(request_idx, "host", "/");
+  sendFame(request);
+
+  floodServer(Http2Frame::makeWindowUpdateFrame(request_idx, 1),
+              "http2.inbound_window_update_frames_flood");
+}
+
 } // namespace Envoy

test/integration/http2_integration_test.h

@@ -89,9 +89,9 @@ class Http2FloodMitigationTest : public testing::TestWithParam<Network::Address:
 
 protected:
   void startHttp2Session();
-  void floodServer(const Http2Frame& frame);
+  void floodServer(const Http2Frame& frame, const std::string& flood_stat);
   void floodServer(absl::string_view host, absl::string_view path,
-                   Http2Frame::ResponseStatus expected_http_status);
+                   Http2Frame::ResponseStatus expected_http_status, const std::string& flood_stat);
   Http2Frame readFrame();
   void sendFame(const Http2Frame& frame);
   void beginSession();