CVE-2023-53517

In the Linux kernel, the following vulnerability has been resolved:

tipc: do not update mtu if msg_max is too small in mtu negotiation

When doing link mtu negotiation, a malicious peer may send Activate msg with a very small mtu, e.g. 4 in Shuang's testing, without checking for the minimum mtu, l->mtu will be set to 4 in tipclinkprotorcv(), then n->links[bearerid].mtu is set to 4294967228, which is a overflow of '4 - INTHSIZE - EMSGOVERHEAD' in tipclink_mss().

With tipclink.mtu = 4, tipclink_xmit() kept printing the warning:

tipc: Too large msg, purging xmit list 1 5 0 40 4! tipc: Too large msg, purging xmit list 1 15 0 60 4!

And with tipclinkentry.mtu 4294967228, a huge skb was allocated in nameddistribute(), and when purging it in tipclink_xmit(), a crash was even caused:

general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19 RIP: 0010:kfreeskblistreason+0x7e/0x1f0 Call Trace: <IRQ> skbreleasedata+0xf9/0x1d0 kfreeskbreason+0x40/0x100 tipclinkxmit+0x57a/0x740 [tipc] tipcnodexmit+0x16c/0x5c0 [tipc] tipcnamednodeup+0x27f/0x2c0 [tipc] tipcnodewriteunlock+0x149/0x170 [tipc] tipcrcv+0x608/0x740 [tipc] tipcudprecv+0xdc/0x1f0 [tipc] udpqueuercvoneskb+0x33e/0x620 udpunicastrcv_skb.isra.72+0x75/0x90 _udp4librcv+0x56d/0xc20 ipprotocoldeliverrcu+0x100/0x2d0

This patch fixes it by checking the new mtu against tipcbearermin_mtu(), and not updating mtu if it is too small.