Fix potential use-after-free in hw auth token handling.
The operation map caches the hw_auth_token used to start the operation
but it was storing the pointer returned by the auth token table and not
the token itself leading to a potential use-after-free if the token was
removed from the table between the operation starting and completeting.
The operation table now stores the auth token itself instead of the
pointer provided by the auth table.
Change-Id: I80fd49655ed98e7879d2caa7f1ae077ff50e0e54
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 667f456..74d65f6 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp
@@ -115,11 +115,7 @@
if (entry == mMap.end()) {
return false;
}
- if (entry->second.authToken.get() != NULL) {
- *outToken = *entry->second.authToken;
- } else {
- *outToken = NULL;
- }
+ *outToken = entry->second.authToken.get();
return true;
}
@@ -128,8 +124,8 @@
if (entry == mMap.end()) {
return false;
}
- entry->second.authToken.reset(new const hw_auth_token_t*);
- *entry->second.authToken = authToken;
+ entry->second.authToken.reset(new hw_auth_token_t);
+ *entry->second.authToken = *authToken;
return true;
}