In certain cases, where a user misconfigures a CORS rule, the entirety
of the string can be token characters (or, at least, the string before
and after a given token is all token characters), but != "*". If the
misconfigured string includes "*" we'll try to split the string and we
assume that we can pop the list of string elements when "*" isn't
first/last, but get_str_list() won't return anything for token-only
substrings and thus 'ssplit' will have fewer elements than would be
expected for a correct rule. In the case of an empty list, front() has
undefined behaviour; in our experience, it often results in a huge
allocation attempt because the code tries to copy the string into a
local variable 'sl'.
An example of this misconfiguration (and thus a reproduction case) is
configuring an origin of " *".
Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
get_str_list((*it), "* \t", ssplit);
if (off != 0) {
+ if (ssplit.empty())
+ continue;
string sl = ssplit.front();
flen = sl.length();
dout(10) << "Finding " << sl << ", in " << h << ", at offset 0" << dendl;
ssplit.pop_front();
}
if (off != ((*it).length() - 1)) {
+ if (ssplit.empty())
+ continue;
string sl = ssplit.front();
dout(10) << "Finding " << sl << ", in " << h
<< ", at offset not less than " << flen << dendl;