In certain cases, where a user misconfigures a CORS rule, the entirety of the string can be token characters (or, at least, the string before and after a given token is all token characters), but != "*". If the misconfigured string includes "*" we'll try to split the string and we assume that we can pop the list of string elements when "*" isn't first/last, but get_str_list() won't return anything for token-only substrings and thus 'ssplit' will have fewer elements than would be expected for a correct rule. In the case of an empty list, front() has undefined behaviour; in our experience, it often results in a huge allocation attempt because the code tries to copy the string into a local variable 'sl'. An example of this misconfiguration (and thus a reproduction case) is configuring an origin of " *".
This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2024:0745 https://access.redhat.com/errata/RHSA-2024:0745