[PATCH net v2] tipc: fix divide-by-zero in tipc_sk_filter

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net v2] tipc: fix divide-by-zero in tipc_sk_filter_connect()
@ 2026-03-06 18:50 Mehul Rao
  2026-03-07  3:29 ` Eric Dumazet
  0 siblings, 1 reply; 2+ messages in thread
From: Mehul Rao @ 2026-03-06 18:50 UTC (permalink / raw)
  To: jmaloy, davem
  Cc: edumazet, kuba, pabeni, horms, ying.xue, tung.q.nguyen, netdev,
	tipc-discussion, stable, Mehul Rao

A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.  When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:

    delay %= (tsk->conn_timeout / 4);

If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.

Fix this by clamping conn_timeout to a minimum of 4 at the point of use
in tipc_sk_filter_connect().

Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv+0x1b99/0x3040
Call Trace:
 tipc_sk_backlog_rcv+0xe4/0x1d0
 __release_sock+0x1ef/0x2a0
 release_sock+0x55/0x190
 tipc_connect+0x140/0x510
 __sys_connect+0x1bb/0x2e0

Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
---
Changes in v2:
- Clamp conn_timeout at the point of use in tipc_sk_filter_connect()
  instead of rejecting small values in tipc_setsockopt()
- Link to v1: https://lore.kernel.org/netdev/20260305215336.645186-1-mehulrao@gmail.com/
---
 net/tipc/socket.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 4c618c2b871d..9329919fb07f 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2233,6 +2233,8 @@ static bool tipc_sk_filter_connect(struct tipc_sock *tsk, struct sk_buff *skb,
 		if (skb_queue_empty(&sk->sk_write_queue))
 			break;
 		get_random_bytes(&delay, 2);
+		if (tsk->conn_timeout < 4)
+			tsk->conn_timeout = 4;
 		delay %= (tsk->conn_timeout / 4);
 		delay = msecs_to_jiffies(delay + 100);
 		sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net v2] tipc: fix divide-by-zero in tipc_sk_filter_connect()
  2026-03-06 18:50 [PATCH net v2] tipc: fix divide-by-zero in tipc_sk_filter_connect() Mehul Rao
@ 2026-03-07  3:29 ` Eric Dumazet
  0 siblings, 0 replies; 2+ messages in thread
From: Eric Dumazet @ 2026-03-07  3:29 UTC (permalink / raw)
  To: Mehul Rao
  Cc: jmaloy, davem, kuba, pabeni, horms, ying.xue, tung.q.nguyen,
	netdev, tipc-discussion, stable

On Fri, Mar 6, 2026 at 7:50 PM Mehul Rao <mehulrao@gmail.com> wrote:
>
> A user can set conn_timeout to any value via
> setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.  When a
> SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
> tipc_sk_filter_connect() executes:
>
>     delay %= (tsk->conn_timeout / 4);
>
> If conn_timeout is in the range [0, 3], the integer division yields 0,
> and the modulo operation triggers a divide-by-zero exception, causing a
> kernel oops/panic.
>
> Fix this by clamping conn_timeout to a minimum of 4 at the point of use
> in tipc_sk_filter_connect().
>

Could you please add symbols to the following trace, using
scripts/decode_stacktrace.sh ?

Thanks.

> Oops: divide error: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
> RIP: 0010:tipc_sk_filter_rcv+0x1b99/0x3040
> Call Trace:
>  tipc_sk_backlog_rcv+0xe4/0x1d0
>  __release_sock+0x1ef/0x2a0
>  release_sock+0x55/0x190
>  tipc_connect+0x140/0x510
>  __sys_connect+0x1bb/0x2e0
>
> Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mehul Rao <mehulrao@gmail.com>
> ---
> Changes in v2:
> - Clamp conn_timeout at the point of use in tipc_sk_filter_connect()
>   instead of rejecting small values in tipc_setsockopt()
> - Link to v1: https://lore.kernel.org/netdev/20260305215336.645186-1-mehulrao@gmail.com/
> ---
>  net/tipc/socket.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/net/tipc/socket.c b/net/tipc/socket.c
> index 4c618c2b871d..9329919fb07f 100644
> --- a/net/tipc/socket.c
> +++ b/net/tipc/socket.c
> @@ -2233,6 +2233,8 @@ static bool tipc_sk_filter_connect(struct tipc_sock *tsk, struct sk_buff *skb,
>                 if (skb_queue_empty(&sk->sk_write_queue))
>                         break;
>                 get_random_bytes(&delay, 2);
> +               if (tsk->conn_timeout < 4)
> +                       tsk->conn_timeout = 4;
>                 delay %= (tsk->conn_timeout / 4);
>                 delay = msecs_to_jiffies(delay + 100);
>                 sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
> --
> 2.53.0
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-07  3:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-06 18:50 [PATCH net v2] tipc: fix divide-by-zero in tipc_sk_filter_connect() Mehul Rao
2026-03-07  3:29 ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox