libceph: admit message frames only in CEPH_CON_S_OPEN state

Similar checks are performed for all control frames, but an early check
for message frames was missing.  process_message() is already set up to
terminate the loop in case the state changes while con->ops->dispatch()
handler is being executed.

Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>

diff --git a/net/ceph/messenger_v2.c b/net/ceph/messenger_v2.c
index ed618435d33a6c144a3895d1b3f89ec538d369e9..c4ddf7911f7d72c4073e6bf88ac4478ed2143653 100644 (file)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2905,6 +2905,11 @@ static int __handle_control(struct ceph_connection *con, void *p)
        if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
                return process_control(con, p, end);
 
+       if (con->state != CEPH_CON_S_OPEN) {
+               con->error_msg = "protocol error, unexpected message";
+               return -EINVAL;
+       }
+
        ret = process_message_header(con, p, end);
        if (ret < 0)
                return ret;