libceph: admit message frames only in CEPH_CON_S_OPEN state

commit a5a373705081d7cc6363e16990e2361b0b362314 upstream. Similar checks are performed for all control frames, but an early check for message frames was missing. process_message() is already set up to terminate the loop in case the state changes while con->ops->dispatch() handler is being executed. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Markuze <amarkuze@redhat.com> Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ilya Dryomov <idryomov@gmail.com> 2026-03-08 17:57:23 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-03-19 16:15:11 +0100
commit: 030387600aa42e95c251096ba5173e53a2235d03 (patch)
tree: 8a5653c8f10bfcac10400fee96a93f92748862b1 /net/ceph
parent: 08bc6173fd611ad5a40f472bf5f15b92aea0fe40 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ceph/messenger_v2.c b/net/ceph/messenger_v2.c
index ab56cda9cf3a..4653330374e4 100644
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2904,6 +2904,11 @@ static int __handle_control(struct ceph_connection *con, void *p)
 	if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
 		return process_control(con, p, end);
 
+	if (con->state != CEPH_CON_S_OPEN) {
+		con->error_msg = "protocol error, unexpected message";
+		return -EINVAL;
+	}
+
 	ret = process_message_header(con, p, end);
 	if (ret < 0)
 		return ret;
author	Ilya Dryomov <idryomov@gmail.com>	2026-03-08 17:57:23 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-03-19 16:15:11 +0100
commit	030387600aa42e95c251096ba5173e53a2235d03 (patch)
tree	8a5653c8f10bfcac10400fee96a93f92748862b1 /net/ceph
parent	08bc6173fd611ad5a40f472bf5f15b92aea0fe40 (diff)