rgw: Add missing empty checks to the split string in is_string_in_set().

In certain cases, where a user misconfigures a CORS rule, the entirety
of the string can be token characters (or, at least, the string before
and after a given token is all token characters), but != "*". If the
misconfigured string includes "*" we'll try to split the string and we
assume that we can pop the list of string elements when "*" isn't
first/last, but get_str_list() won't return anything for token-only
substrings and thus 'ssplit' will have fewer elements than would be
expected for a correct rule. In the case of an empty list, front() has
undefined behaviour; in our experience, it often results in a huge
allocation attempt because the code tries to copy the string into a
local variable 'sl'.

An example of this misconfiguration (and thus a reproduction case) is
configuring an origin of " *".

Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>

diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
index e41abf8ccb44c34911dbe334c8a8c72085652c1b..bb80e2b58db21872cbffade78012e7e5fbaff9b4 100644 (file)
--- a/src/rgw/rgw_cors.cc
+++ b/src/rgw/rgw_cors.cc
@@ -121,6 +121,8 @@ static bool is_string_in_set(set<string>& s, string h) {
       
       get_str_list((*it), "* \t", ssplit);
       if (off != 0) {
+        if (ssplit.empty())
+          continue;
         string sl = ssplit.front();
         flen = sl.length();
         dout(10) << "Finding " << sl << ", in " << h << ", at offset 0" << dendl;
@@ -129,6 +131,8 @@ static bool is_string_in_set(set<string>& s, string h) {
         ssplit.pop_front();
       }
       if (off != ((*it).length() - 1)) {
+        if (ssplit.empty())
+          continue;
         string sl = ssplit.front();
         dout(10) << "Finding " << sl << ", in " << h 
           << ", at offset not less than " << flen << dendl;