diff options
author | Janis Danisevskis <jdanis@google.com> | 2019-06-05 16:42:12 -0700 |
---|---|---|
committer | Arjun Garg <arjgarg@google.com> | 2019-07-11 12:16:45 -0700 |
commit | f79271a4422e570109200fbf9e6424639cedbc01 (patch) | |
tree | a23a899aaf1e97f49ce8266c270160206016b62a | |
parent | 348f97cdb52453081ccd2b62f208066c82521aef (diff) | |
download | core-f79271a4422e570109200fbf9e6424639cedbc01.tar.gz |
Fix a memory leak in gatekeeper.android-8.1.0_r71android-8.1.0_r70android-8.1.0_r69android-8.1.0_r68
In violation to the documentation of GateKeeper::GetAuthTokenKey and
GateKeeper::GetPasswordKey, the implementations in SoftGateKeeper
allocate and return buffers and relinquish ownership causing a memory
leak, because the caller expects the implementation to retain ownership.
Bug: 129768470
Bug: 134557251
Test: gatekeeper-unit-tests
Change-Id: I0af9539d3dcd47dfd1e7d80cdee700ea0c2d6d0f
Merged-In: I0af9539d3dcd47dfd1e7d80cdee700ea0c2d6d0f
(cherry picked from commit 6a9c4e7968e73393110b169b33fb636531fe7fc2)
-rw-r--r-- | gatekeeperd/SoftGateKeeper.h | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/gatekeeperd/SoftGateKeeper.h b/gatekeeperd/SoftGateKeeper.h index 2f4f4d7e6..5c03dcf1b 100644 --- a/gatekeeperd/SoftGateKeeper.h +++ b/gatekeeperd/SoftGateKeeper.h @@ -58,23 +58,16 @@ public: virtual ~SoftGateKeeper() { } - virtual bool GetAuthTokenKey(const uint8_t **auth_token_key, - uint32_t *length) const { + virtual bool GetAuthTokenKey(const uint8_t** auth_token_key, uint32_t* length) const { if (auth_token_key == NULL || length == NULL) return false; - uint8_t *auth_token_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; - memcpy(auth_token_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); - - *auth_token_key = auth_token_key_copy; + *auth_token_key = key_.get(); *length = SIGNATURE_LENGTH_BYTES; return true; } - virtual void GetPasswordKey(const uint8_t **password_key, uint32_t *length) { + virtual void GetPasswordKey(const uint8_t** password_key, uint32_t* length) { if (password_key == NULL || length == NULL) return; - uint8_t *password_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; - memcpy(password_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); - - *password_key = password_key_copy; + *password_key = key_.get(); *length = SIGNATURE_LENGTH_BYTES; } |