Bugzilla – Bug 1219719
VUL-0: CVE-2023-46159: ceph: RGW crash upon misconfigured CORS rule
Last modified: 2024-02-08 09:15:03 UTC
In certain cases, where a user misconfigures a CORS rule, the entirety of the string can be token characters (or, at least, the string before and after a given token is all token characters), but != "*". If the misconfigured string includes "*" we'll try to split the string and we assume that we can pop the list of string elements when "*" isn't first/last, but get_str_list() won't return anything for token-only substrings and thus 'ssplit' will have fewer elements than would be expected for a correct rule. In the case of an empty list, front() has undefined behaviour; in our experience, it often results in a huge allocation attempt because the code tries to copy the string into a local variable 'sl'. An example of this misconfiguration (and thus a reproduction case) is configuring an origin of " *". References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46159 https://www.cve.org/CVERecord?id=CVE-2023-46159 https://bugzilla.redhat.com/show_bug.cgi?id=2215374 https://exchange.xforce.ibmcloud.com/vulnerabilities/268906 http://www.ibm.com/support/pages/node/7112263