torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-03-22 07:27:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

libceph: admit message frames only in CEPH_CON_S_OPEN state

Browse Source 
Similar checks are performed for all control frames, but an early check
for message frames was missing.  process_message() is already set up to
terminate the loop in case the state changes while con->ops->dispatch()
handler is being executed.

Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
This commit is contained in:
Ilya Dryomov
2026-03-08 17:57:23 +01:00
parent 69fb5d91bb
commit a5a3737050
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
net/ceph/messenger_v2.c
View File

@@ -2905,6 +2905,11 @@ static int __handle_control(struct ceph_connection *con, void *p)
if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
return process_control(con, p, end);
if (con->state != CEPH_CON_S_OPEN) {
con->error_msg = "protocol error, unexpected message";
return -EINVAL;
}
ret = process_message_header(con, p, end);
if (ret < 0)
return ret;