From 0d315000c76e465d6ab0953446ff8618ccb7623a Mon Sep 17 00:00:00 2001 From: Suyash Dongre Date: Wed, 20 Aug 2025 23:22:41 +0530 Subject: [PATCH] [PATCH] Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty The issue was that the `HTTP_X_AMZ_COPY_SOURCE` header could be present but empty (i.e., an empty string rather than NULL). The code only checked if the pointer was not NULL, but didn't verify that the string had content. When an empty string was passed to RGWCopyObj::parse_copy_location(), it would eventually try to access name_str[0] on an empty string, causing a crash. Fixes: https://tracker.ceph.com/issues/72669 Signed-off-by: Suyash Dongre Gbp-Pq: Name CVE-2024-47866.patch --- src/rgw/rgw_op.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index c2501b784..464f3f563 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -4830,6 +4830,10 @@ bool RGWCopyObj::parse_copy_location(const boost::string_view& url_src, params_str = url_src.substr(pos + 1); } + if (name_str.empty()) { + return false; + } + boost::string_view dec_src{name_str}; if (dec_src[0] == '/') dec_src.remove_prefix(1); -- 2.30.2