A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.  When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:

    delay %= (tsk->conn_timeout / 4);

If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.

Fix this by rejecting conn_timeout values less than 4 in
tipc_setsockopt() with -EINVAL.  Values below 4ms are not meaningful as
a connection timeout anyway.

Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv+0x1b99/0x3040
Call Trace:
 tipc_sk_backlog_rcv+0xe4/0x1d0
 __release_sock+0x1ef/0x2a0
 release_sock+0x55/0x190
 tipc_connect+0x140/0x510
 __sys_connect+0x1bb/0x2e0

Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
---
 net/tipc/socket.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 4c618c2b871d..85c07b0ba0ec 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -3184,6 +3184,10 @@ static int tipc_setsockopt(struct socket *sock, int lvl, int opt,
 		tsk_set_unreturnable(tsk, value);
 		break;
 	case TIPC_CONN_TIMEOUT:
+		if (value < 4) {
+			res = -EINVAL;
+			break;
+		}
 		tipc_sk(sk)->conn_timeout = value;
 		break;
 	case TIPC_MCAST_BROADCAST:
--
2.48.1