diff options
author | Alexey Polyudov <apolyudov@google.com> | 2016-08-18 13:48:50 -0700 |
---|---|---|
committer | Alexey Polyudov <apolyudov@google.com> | 2016-08-18 14:29:16 -0700 |
commit | 84f8f9fdc2c779ffd938e730d7e950c3958d799e (patch) | |
tree | 744836a276593b5f8ee4b505ce86f19a370c7dd5 | |
parent | 91460330ebb054b3171d40a16d51bb71346941e6 (diff) | |
download | gatekeeper-oreo-r6-release.tar.gz |
gatekeeper: fix potential stack overflowandroid-cts-8.0_r9android-cts-8.0_r8android-cts-8.0_r7android-cts-8.0_r6android-cts-8.0_r5android-cts-8.0_r4android-cts-8.0_r3android-cts-8.0_r26android-cts-8.0_r25android-cts-8.0_r24android-cts-8.0_r23android-cts-8.0_r22android-cts-8.0_r21android-cts-8.0_r20android-cts-8.0_r2android-cts-8.0_r19android-cts-8.0_r18android-cts-8.0_r17android-cts-8.0_r16android-cts-8.0_r15android-cts-8.0_r14android-cts-8.0_r13android-cts-8.0_r12android-cts-8.0_r11android-cts-8.0_r10android-cts-8.0_r1android-8.0.0_r9android-8.0.0_r7android-8.0.0_r4android-8.0.0_r36android-8.0.0_r35android-8.0.0_r32android-8.0.0_r31android-8.0.0_r30android-8.0.0_r3android-8.0.0_r29android-8.0.0_r28android-8.0.0_r2android-8.0.0_r17android-8.0.0_r16android-8.0.0_r15android-8.0.0_r13android-8.0.0_r12android-8.0.0_r11android-8.0.0_r10android-8.0.0_r1oreo-releaseoreo-r6-releaseoreo-r5-releaseoreo-r4-releaseoreo-r3-releaseoreo-r2-releaseoreo-cts-release
replace unbounded array on stack with array on heap;
Bug: 30175981
Change-Id: Ia9386cb8d9c91e989e72df2d212c9023ef4a5e01
Signed-off-by: Alexey Polyudov <apolyudov@google.com>
-rw-r--r-- | gatekeeper.cpp | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/gatekeeper.cpp b/gatekeeper.cpp index 44993cf..cfd878f 100644 --- a/gatekeeper.cpp +++ b/gatekeeper.cpp @@ -181,9 +181,15 @@ bool GateKeeper::CreatePasswordHandle(SizedBuffer *password_handle_buffer, salt_ password_handle->hardware_backed = IsHardwareBacked(); uint32_t metadata_length = sizeof(user_id) + sizeof(flags) + sizeof(HANDLE_VERSION); - uint8_t to_sign[password_length + metadata_length]; - memcpy(to_sign, password_handle, metadata_length); - memcpy(to_sign + metadata_length, password, password_length); + const size_t to_sign_size = password_length + metadata_length; + UniquePtr<uint8_t> to_sign(new uint8_t[to_sign_size]); + + if (to_sign.get() == nullptr) { + return false; + } + + memcpy(to_sign.get(), password_handle, metadata_length); + memcpy(to_sign.get() + metadata_length, password, password_length); const uint8_t *password_key = NULL; uint32_t password_key_length = 0; @@ -194,7 +200,7 @@ bool GateKeeper::CreatePasswordHandle(SizedBuffer *password_handle_buffer, salt_ } ComputePasswordSignature(password_handle->signature, sizeof(password_handle->signature), - password_key, password_key_length, to_sign, sizeof(to_sign), salt); + password_key, password_key_length, to_sign.get(), to_sign_size, salt); return true; } |