diff options
author | Shawn Willden <swillden@google.com> | 2016-02-02 17:32:31 -0700 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2016-02-02 17:34:27 -0700 |
commit | 067042f6d7be14cb0f01388c41af597caf8e60fe (patch) | |
tree | 5a05cb1f03e581e3ef2469a2b18e25c94b3ca9de | |
parent | b3bb39218888c573c1b341d3ee11516b9ad2d3b4 (diff) | |
download | security-067042f6d7be14cb0f01388c41af597caf8e60fe.tar.gz |
Fix various memory errors.
Bug: 26910835
Change-Id: I2973221a798b08bbde6dc7ac5464a99b2dc26b4d
-rw-r--r-- | keystore/IKeystoreService.cpp | 34 | ||||
-rw-r--r-- | keystore/include/keystore/IKeystoreService.h | 2 |
2 files changed, 26 insertions, 10 deletions
diff --git a/keystore/IKeystoreService.cpp b/keystore/IKeystoreService.cpp index d03a0117..6dc61473 100644 --- a/keystore/IKeystoreService.cpp +++ b/keystore/IKeystoreService.cpp @@ -221,31 +221,44 @@ static bool readKeymasterBlob(const Parcel& in, keymaster_blob_t* blob) { return false; } - blob->data_length = 0; ssize_t length = in.readInt32(); if (length <= 0) { - blob->data = nullptr; return false; } - blob->data = reinterpret_cast<const uint8_t*>(in.readInplace(length)); - if (blob->data) { - blob->data_length = static_cast<size_t>(length); - } + blob->data = reinterpret_cast<const uint8_t*>(malloc(length)); + if (!blob->data) + return false; + + const void* buf = in.readInplace(length); + if (!buf) + return false; + + blob->data_length = static_cast<size_t>(length); + memcpy(const_cast<uint8_t*>(blob->data), buf, length); + return true; } void KeymasterCertificateChain::readFromParcel(const Parcel& in) { + keymaster_free_cert_chain(&chain); + ssize_t count = in.readInt32(); size_t ucount = count; - if (count < 0) { - ucount = 0; + if (count <= 0) { + return; } - keymaster_free_cert_chain(&chain); - chain.entries = new keymaster_blob_t[ucount]; + + chain.entries = reinterpret_cast<keymaster_blob_t*>(malloc(sizeof(keymaster_blob_t) * ucount)); + if (!chain.entries) { + ALOGE("Error allocating memory for certificate chain"); + return; + } + memset(chain.entries, 0, sizeof(keymaster_blob_t) * ucount); for (size_t i = 0; i < ucount; ++i) { if (!readKeymasterBlob(in, &chain.entries[i])) { + ALOGE("Error reading certificate from parcel"); keymaster_free_cert_chain(&chain); return; } @@ -365,6 +378,7 @@ bool readKeymasterArgumentFromParcel(const Parcel& in, keymaster_key_param_t* ou const void* buf = in.readInplace(ulength); if (!buf || !data) { ALOGE("Failed to allocate buffer for keymaster blob param"); + free(data); return false; } memcpy(data, buf, ulength); diff --git a/keystore/include/keystore/IKeystoreService.h b/keystore/include/keystore/IKeystoreService.h index 64968e5f..f5d812ac 100644 --- a/keystore/include/keystore/IKeystoreService.h +++ b/keystore/include/keystore/IKeystoreService.h @@ -97,6 +97,8 @@ struct KeymasterCertificateChain { void readFromParcel(const Parcel& in); void writeToParcel(Parcel* out) const; + void FreeChain(); + keymaster_cert_chain_t chain; }; |