[PATCH] tipc: validate conn_timeout to prevent divide-by-zero

Next message: srinivas pandruvada: "Re: [PATCH] cpufreq: intel_pstate: Allow repeated intel_pstate disable"
Previous message: Sander Vanheule: "Re: [PATCH 2/2] gpio: realtek-otto: add rtl9607 support"
Next in thread: Tung Quang Nguyen: "RE: [PATCH] tipc: validate conn_timeout to prevent divide-by-zero"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mehul Rao

Date: Thu Mar 05 2026 - 16:54:09 EST

A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:

delay %= (tsk->conn_timeout / 4);

If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.

Fix this by rejecting conn_timeout values less than 4 in
tipc_setsockopt() with -EINVAL. Values below 4ms are not meaningful as
a connection timeout anyway.

Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv+0x1b99/0x3040
Call Trace:
tipc_sk_backlog_rcv+0xe4/0x1d0
__release_sock+0x1ef/0x2a0
release_sock+0x55/0x190
tipc_connect+0x140/0x510
__sys_connect+0x1bb/0x2e0

Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Signed-off-by: Mehul Rao <mehulrao@xxxxxxxxx>
---
net/tipc/socket.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 4c618c2b871d..85c07b0ba0ec 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -3184,6 +3184,10 @@ static int tipc_setsockopt(struct socket *sock, int lvl, int opt,
tsk_set_unreturnable(tsk, value);
break;
case TIPC_CONN_TIMEOUT:
+ if (value < 4) {
+ res = -EINVAL;
+ break;
+ }
tipc_sk(sk)->conn_timeout = value;
break;
case TIPC_MCAST_BROADCAST:
--
2.48.1