From 64803e1ced57d64b758927c3977bb4a4d1769180 Mon Sep 17 00:00:00 2001 From: Joshua Baergen Date: Tue, 12 Sep 2023 14:05:01 -0400 Subject: [PATCH] rgw: Add missing empty checks to the split string in is_string_in_set(). In certain cases, where a user misconfigures a CORS rule, the entirety of the string can be token characters (or, at least, the string before and after a given token is all token characters), but != "*". If the misconfigured string includes "*" we'll try to split the string and we assume that we can pop the list of string elements when "*" isn't first/last, but get_str_list() won't return anything for token-only substrings and thus 'ssplit' will have fewer elements than would be expected for a correct rule. In the case of an empty list, front() has undefined behaviour; in our experience, it often results in a huge allocation attempt because the code tries to copy the string into a local variable 'sl'. An example of this misconfiguration (and thus a reproduction case) is configuring an origin of " *". Signed-off-by: Matt Benjamin --- src/rgw/rgw_cors.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc index e41abf8ccb44c..bb80e2b58db21 100644 --- a/src/rgw/rgw_cors.cc +++ b/src/rgw/rgw_cors.cc @@ -121,6 +121,8 @@ static bool is_string_in_set(set& s, string h) { get_str_list((*it), "* \t", ssplit); if (off != 0) { + if (ssplit.empty()) + continue; string sl = ssplit.front(); flen = sl.length(); dout(10) << "Finding " << sl << ", in " << h << ", at offset 0" << dendl; @@ -129,6 +131,8 @@ static bool is_string_in_set(set& s, string h) { ssplit.pop_front(); } if (off != ((*it).length() - 1)) { + if (ssplit.empty()) + continue; string sl = ssplit.front(); dout(10) << "Finding " << sl << ", in " << h << ", at offset not less than " << flen << dendl; -- 2.39.5