From 84f8f9fdc2c779ffd938e730d7e950c3958d799e Mon Sep 17 00:00:00 2001 From: Alexey Polyudov Date: Thu, 18 Aug 2016 13:48:50 -0700 Subject: gatekeeper: fix potential stack overflow replace unbounded array on stack with array on heap; Bug: 30175981 Change-Id: Ia9386cb8d9c91e989e72df2d212c9023ef4a5e01 Signed-off-by: Alexey Polyudov --- gatekeeper.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/gatekeeper.cpp b/gatekeeper.cpp index 44993cf..cfd878f 100644 --- a/gatekeeper.cpp +++ b/gatekeeper.cpp @@ -181,9 +181,15 @@ bool GateKeeper::CreatePasswordHandle(SizedBuffer *password_handle_buffer, salt_ password_handle->hardware_backed = IsHardwareBacked(); uint32_t metadata_length = sizeof(user_id) + sizeof(flags) + sizeof(HANDLE_VERSION); - uint8_t to_sign[password_length + metadata_length]; - memcpy(to_sign, password_handle, metadata_length); - memcpy(to_sign + metadata_length, password, password_length); + const size_t to_sign_size = password_length + metadata_length; + UniquePtr to_sign(new uint8_t[to_sign_size]); + + if (to_sign.get() == nullptr) { + return false; + } + + memcpy(to_sign.get(), password_handle, metadata_length); + memcpy(to_sign.get() + metadata_length, password, password_length); const uint8_t *password_key = NULL; uint32_t password_key_length = 0; @@ -194,7 +200,7 @@ bool GateKeeper::CreatePasswordHandle(SizedBuffer *password_handle_buffer, salt_ } ComputePasswordSignature(password_handle->signature, sizeof(password_handle->signature), - password_key, password_key_length, to_sign, sizeof(to_sign), salt); + password_key, password_key_length, to_sign.get(), to_sign_size, salt); return true; } -- cgit v1.2.3