CVE-2023-53517

Vulnerability

Description

In the Linux kernel's TIPC (Transparent Inter-Process Communication) module, a flaw exists in the MTU negotiation of link MTU (Maximum Transmission Unit). When processing an Activate message during link setup, the function tipc_link_proto_rcv() does not validate the minimum MTU value provided by the peer. A malicious peer can send a crafted Activate message with an MTU as small as 4 bytes, bypassing any lower-bound check. This results in l->mtu being set to that tiny value. This leads to an integer overflow when computing n->links[bearer_id].mtu via the expression 4 - INT_H_SIZE - EMSG_OVERHEAD, producing an extremely large value (e.g., 4294967228).

Exploitation

An attacker with network access to a TIPC link can send a specially crafted Activate message with a very small MTU (e.g., 4). No authentication is required beyond the ability to initiate a TIPC link negotiation. The overflowed MTU value causes the kernel to allocate a huge socket buffer (skb) in named_distribute(), and when that buffer is later freed in tipc_link_xmit(), a general protection fault (GPF) occurs, leading to a system crash. The kernel log shows repeated warnings like "Too large msg, purging xmit list" before the crash [1][2].

Impact

Successful exploitation results in a denial of service (DoS) via kernel crash. The CVSS v3 score of 5.5 (Medium) reflects the requirement for network access to trigger the vulnerability, but the impact is limited to availability. No privilege escalation or data compromise is indicated.

Mitigation

The fix, introduced in Linux kernel stable commits, adds a check in tipc_link_proto_rcv() to compare the proposed MTU against tipc_bearer_min_mtu(). If the new MTU is too small, the update is rejected, preventing the overflow and subsequent crash. Users should apply the latest kernel updates from their distribution to remediate this issue [1][2].