From: Joshua Baergen Date: Tue, 12 Sep 2023 18:05:01 +0000 (-0400) Subject: rgw: Add missing empty checks to the split string in is_string_in_set(). X-Git-Tag: testing/wip-batrick-testing-20240411.154038~180^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=64803e1ced57d64b758927c3977bb4a4d1769180;p=ceph-ci.git rgw: Add missing empty checks to the split string in is_string_in_set(). In certain cases, where a user misconfigures a CORS rule, the entirety of the string can be token characters (or, at least, the string before and after a given token is all token characters), but != "*". If the misconfigured string includes "*" we'll try to split the string and we assume that we can pop the list of string elements when "*" isn't first/last, but get_str_list() won't return anything for token-only substrings and thus 'ssplit' will have fewer elements than would be expected for a correct rule. In the case of an empty list, front() has undefined behaviour; in our experience, it often results in a huge allocation attempt because the code tries to copy the string into a local variable 'sl'. An example of this misconfiguration (and thus a reproduction case) is configuring an origin of " *". Signed-off-by: Matt Benjamin --- diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc index e41abf8ccb4..bb80e2b58db 100644 --- a/src/rgw/rgw_cors.cc +++ b/src/rgw/rgw_cors.cc @@ -121,6 +121,8 @@ static bool is_string_in_set(set& s, string h) { get_str_list((*it), "* \t", ssplit); if (off != 0) { + if (ssplit.empty()) + continue; string sl = ssplit.front(); flen = sl.length(); dout(10) << "Finding " << sl << ", in " << h << ", at offset 0" << dendl; @@ -129,6 +131,8 @@ static bool is_string_in_set(set& s, string h) { ssplit.pop_front(); } if (off != ((*it).length() - 1)) { + if (ssplit.empty()) + continue; string sl = ssplit.front(); dout(10) << "Finding " << sl << ", in " << h << ", at offset not less than " << flen << dendl;