diff options
| author | Ilya Dryomov <idryomov@gmail.com> | 2026-03-08 17:57:23 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-19 16:08:30 +0100 |
| commit | bdf614c81081b6c23bf271fa2bcc3e501ca27348 (patch) | |
| tree | b6e2a3977fde72612f5acbfd695f156822b1bbe0 /net | |
| parent | ba0a4df8c563536857dcbf7b4dbd0f2a15f57ace (diff) | |
libceph: admit message frames only in CEPH_CON_S_OPEN state
commit a5a373705081d7cc6363e16990e2361b0b362314 upstream.
Similar checks are performed for all control frames, but an early check
for message frames was missing. process_message() is already set up to
terminate the loop in case the state changes while con->ops->dispatch()
handler is being executed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ceph/messenger_v2.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ceph/messenger_v2.c b/net/ceph/messenger_v2.c index 1fc50a270158..5c7435fc6483 100644 --- a/net/ceph/messenger_v2.c +++ b/net/ceph/messenger_v2.c @@ -2906,6 +2906,11 @@ static int __handle_control(struct ceph_connection *con, void *p) if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE) return process_control(con, p, end); + if (con->state != CEPH_CON_S_OPEN) { + con->error_msg = "protocol error, unexpected message"; + return -EINVAL; + } + ret = process_message_header(con, p, end); if (ret < 0) return ret; |