diff options
author | Janis Danisevskis <jdanis@google.com> | 2019-06-05 16:42:12 -0700 |
---|---|---|
committer | Arjun Garg <arjgarg@google.com> | 2019-07-11 12:08:54 -0700 |
commit | da6c753a2bbc2b2e5a8809250a38f3fc2019d365 (patch) | |
tree | 4d50f1fc248bae69ce581f42976cb942fc0da572 | |
parent | e86fe1d2cd3fe8570fc181058877ce2dc7b9216b (diff) | |
download | core-nougat-mr2-security-release.tar.gz |
Fix a memory leak in gatekeeper.android-7.1.2_r39android-7.1.2_r38nougat-mr2-security-release
In violation to the documentation of GateKeeper::GetAuthTokenKey and
GateKeeper::GetPasswordKey, the implementations in SoftGateKeeper
allocate and return buffers and relinquish ownership causing a memory
leak, because the caller expects the implementation to retain ownership.
Bug: 129768470
Bug: 134557251
Test: gatekeeper-unit-tests
Change-Id: I0af9539d3dcd47dfd1e7d80cdee700ea0c2d6d0f
Merged-In: I0af9539d3dcd47dfd1e7d80cdee700ea0c2d6d0f
(cherry picked from commit 6a9c4e7968e73393110b169b33fb636531fe7fc2)
-rw-r--r-- | gatekeeperd/SoftGateKeeper.h | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/gatekeeperd/SoftGateKeeper.h b/gatekeeperd/SoftGateKeeper.h index 8b15d72e2..b4877e618 100644 --- a/gatekeeperd/SoftGateKeeper.h +++ b/gatekeeperd/SoftGateKeeper.h @@ -58,23 +58,16 @@ public: virtual ~SoftGateKeeper() { } - virtual bool GetAuthTokenKey(const uint8_t **auth_token_key, - uint32_t *length) const { + virtual bool GetAuthTokenKey(const uint8_t** auth_token_key, uint32_t* length) const { if (auth_token_key == NULL || length == NULL) return false; - uint8_t *auth_token_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; - memcpy(auth_token_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); - - *auth_token_key = auth_token_key_copy; + *auth_token_key = key_.get(); *length = SIGNATURE_LENGTH_BYTES; return true; } - virtual void GetPasswordKey(const uint8_t **password_key, uint32_t *length) { + virtual void GetPasswordKey(const uint8_t** password_key, uint32_t* length) { if (password_key == NULL || length == NULL) return; - uint8_t *password_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; - memcpy(password_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); - - *password_key = password_key_copy; + *password_key = key_.get(); *length = SIGNATURE_LENGTH_BYTES; } |