Add protection against slowloris vulnerability

This changes the behavior of the `timeout` protocol option to
mean "Time in which the full request line and headers must be
received". The default of 5s should be fine for all normal uses.

This change has no noticeable impact on performance and is thus
enabled by default for everyone. It can be disabled by setting
`timeout` to `infinity` although that is definitely not encouraged.

Inspired by the contribution from @naryl on github.

src/cowboy_protocol.erl

@@ -38,8 +38,8 @@
 %%   not available at this point.</dd>
 %%  <dt>onresponse</dt><dd>Optional fun that allows replacing a response
 %%   sent by the application.</dd>
-%%  <dt>timeout</dt><dd>Time in milliseconds before an idle
-%%   connection is closed. Defaults to 5000 milliseconds.</dd>
+%%  <dt>timeout</dt><dd>Time in milliseconds a client has to send the
+%%   full request line and headers. Defaults to 5000 milliseconds.</dd>
 %% </dl>
 %%
 %% Note that there is no need to monitor these processes when using Cowboy as
@@ -74,7 +74,8 @@
 	max_header_name_length :: non_neg_integer(),
 	max_header_value_length :: non_neg_integer(),
 	max_headers :: non_neg_integer(),
-	timeout :: timeout()
+	timeout :: timeout(),
+	until :: non_neg_integer() | infinity
 }).
 
 %% API.
@@ -116,7 +117,15 @@ init(ListenerPid, Socket, Transport, Opts) ->
 		max_request_line_length=MaxRequestLineLength,
 		max_header_name_length=MaxHeaderNameLength,
 		max_header_value_length=MaxHeaderValueLength, max_headers=MaxHeaders,
-		timeout=Timeout, onrequest=OnRequest, onresponse=OnResponse}, 0).
+		onrequest=OnRequest, onresponse=OnResponse,
+		timeout=Timeout, until=until(Timeout)}, 0).
+
+-spec until(timeout()) -> non_neg_integer() | infinity.
+until(infinity) ->
+	infinity;
+until(Timeout) ->
+	{Me, S, Mi} = os:timestamp(),
+	Me * 1000000000 + S * 1000 + Mi div 1000 + Timeout.
 
 %% Request parsing.
 %%
@@ -125,10 +134,24 @@ init(ListenerPid, Socket, Transport, Opts) ->
 %% right after the header parsing is finished and the code becomes
 %% more interesting past that point.
 
+-spec recv(inet:socket(), module(), non_neg_integer() | infinity)
+	-> {ok, binary()} | {error, closed | timeout | atom()}.
+recv(Socket, Transport, infinity) ->
+	Transport:recv(Socket, 0, infinity);
+recv(Socket, Transport, Until) ->
+	{Me, S, Mi} = os:timestamp(),
+	Now = Me * 1000000000 + S * 1000 + Mi div 1000,
+	Timeout = Until - Now,
+	if	Timeout < 0 ->
+			{error, timeout};
+		true ->
+			Transport:recv(Socket, 0, Timeout)
+	end.
+
 -spec wait_request(binary(), #state{}, non_neg_integer()) -> ok.
 wait_request(Buffer, State=#state{socket=Socket, transport=Transport,
-		timeout=Timeout}, ReqEmpty) ->
-	case Transport:recv(Socket, 0, Timeout) of
+		until=Until}, ReqEmpty) ->
+	case recv(Socket, Transport, Until) of
 		{ok, Data} ->
 			parse_request(<< Buffer/binary, Data/binary >>, State, ReqEmpty);
 		{error, _} ->
@@ -219,8 +242,8 @@ wait_header(_, State=#state{max_headers=MaxHeaders}, _, _, _, _, _, Headers)
 		when length(Headers) >= MaxHeaders ->
 	error_terminate(400, State);
 wait_header(Buffer, State=#state{socket=Socket, transport=Transport,
-		timeout=Timeout}, M, P, Q, F, V, H) ->
-	case Transport:recv(Socket, 0, Timeout) of
+		until=Until}, M, P, Q, F, V, H) ->
+	case recv(Socket, Transport, Until) of
 		{ok, Data} ->
 			parse_header(<< Buffer/binary, Data/binary >>,
 				State, M, P, Q, F, V, H);
@@ -291,9 +314,9 @@ parse_hd_name_ws(<< C, Rest/bits >>, S, M, P, Q, F, V, H, Name) ->
 	end.
 
 wait_hd_before_value(Buffer, State=#state{
-		socket=Socket, transport=Transport, timeout=Timeout},
+		socket=Socket, transport=Transport, until=Until},
 		M, P, Q, F, V, H, N) ->
-	case Transport:recv(Socket, 0, Timeout) of
+	case recv(Socket, Transport, Until) of
 		{ok, Data} ->
 			parse_hd_before_value(<< Buffer/binary, Data/binary >>,
 				State, M, P, Q, F, V, H, N);
@@ -323,9 +346,9 @@ parse_hd_before_value(Buffer, State=#state{
 %% to change the other arguments' position and trigger costy
 %% operations for no reasons.
 wait_hd_value(_, State=#state{
-		socket=Socket, transport=Transport, timeout=Timeout},
+		socket=Socket, transport=Transport, until=Until},
 		M, P, Q, F, V, H, N, SoFar) ->
-	case Transport:recv(Socket, 0, Timeout) of
+	case recv(Socket, Transport, Until) of
 		{ok, Data} ->
 			parse_hd_value(Data, State, M, P, Q, F, V, H, N, SoFar);
 		{error, timeout} ->
@@ -338,9 +361,9 @@ wait_hd_value(_, State=#state{
 %% to check for multilines allows us to avoid a few tests in
 %% the critical path, but forces us to have a special function.
 wait_hd_value_nl(_, State=#state{
-		socket=Socket, transport=Transport, timeout=Timeout},
+		socket=Socket, transport=Transport, until=Until},
 		M, P, Q, F, V, Headers, Name, SoFar) ->
-	case Transport:recv(Socket, 0, Timeout) of
+	case recv(Socket, Transport, Until) of
 		{ok, << C, Data/bits >>} when C =:= $\s; C =:= $\t  ->
 			parse_hd_value(Data, State, M, P, Q, F, V, Headers, Name, SoFar);
 		{ok, Data} ->
@@ -492,7 +515,8 @@ resume(State, Env, Tail, Module, Function, Args) ->
 	end.
 
 -spec next_request(cowboy_req:req(), #state{}, any()) -> ok.
-next_request(Req, State=#state{req_keepalive=Keepalive}, HandlerRes) ->
+next_request(Req, State=#state{req_keepalive=Keepalive, timeout=Timeout},
+		HandlerRes) ->
 	cowboy_req:ensure_response(Req, 204),
 	{BodyRes, [Buffer, Connection]} = case cowboy_req:skip_body(Req) of
 		{ok, Req2} -> {ok, cowboy_req:get([buffer, connection], Req2)};
@@ -503,7 +527,7 @@ next_request(Req, State=#state{req_keepalive=Keepalive}, HandlerRes) ->
 	case {HandlerRes, BodyRes, Connection} of
 		{ok, ok, keepalive} ->
 			?MODULE:parse_request(Buffer, State#state{
-				req_keepalive=Keepalive + 1}, 0);
+				req_keepalive=Keepalive + 1, until=until(Timeout)}, 0);
 		_Closed ->
 			terminate(State)
 	end.

test/http_SUITE.erl

@@ -60,6 +60,8 @@
 -export([set_resp_body/1]).
 -export([set_resp_header/1]).
 -export([set_resp_overwrite/1]).
+-export([slowloris/1]).
+-export([slowloris2/1]).
 -export([static_attribute_etag/1]).
 -export([static_function_etag/1]).
 -export([static_mimetypes_function/1]).
@@ -110,6 +112,8 @@ groups() ->
 		set_resp_body,
 		set_resp_header,
 		set_resp_overwrite,
+		slowloris,
+		slowloris2,
 		static_attribute_etag,
 		static_function_etag,
 		static_mimetypes_function,
@@ -812,6 +816,34 @@ set_resp_overwrite(Config) ->
 	{<<"server">>, <<"DesireDrive/1.0">>}
 		= lists:keyfind(<<"server">>, 1, Headers).
 
+slowloris(Config) ->
+	Client = ?config(client, Config),
+	Transport = ?config(transport, Config),
+	{ok, Client2} = cowboy_client:connect(
+		Transport, "localhost", ?config(port, Config), Client),
+	try
+		[begin
+			{ok, _} = cowboy_client:raw_request([C], Client2),
+			receive after 25 -> ok end
+		end || C <- "GET / HTTP/1.1\r\nHost: localhost\r\n"
+			"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US)\r\n"
+			"Cookie: name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n"],
+		error(failure)
+	catch error:{badmatch, _} ->
+		ok
+	end.
+
+slowloris2(Config) ->
+	Client = ?config(client, Config),
+	Transport = ?config(transport, Config),
+	{ok, Client2} = cowboy_client:connect(
+		Transport, "localhost", ?config(port, Config), Client),
+	{ok, _} = cowboy_client:raw_request("GET / HTTP/1.1\r\n", Client2),
+	receive after 300 -> ok end,
+	{ok, _} = cowboy_client:raw_request("Host: localhost\r\n", Client2),
+	receive after 300 -> ok end,
+	{ok, 408, _, _} = cowboy_client:response(Client2).
+
 static_attribute_etag(Config) ->
 	Client = ?config(client, Config),
 	{ok, Client2} = cowboy_client:request(<<"GET">>,