Fix heap use after free.
Asan shows the memory op used was freed by mOperationMap.removeOperation(token), so change the order of mAuthTokenTable.MarkCompleted(op.handle) and mOperationMap.removeOperation(token).
Bug: 74572753
Test: runtest --path
cts/tests/tests/keystore/src/android/keystore/cts/KeyStoreTest.java
Change-Id: I9f5452fc639a1f694c37759ee860f73f57d0fdcf
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index aab3db1..721b857 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -1436,8 +1436,9 @@
op.device->finish(op.handle, inParams,
::std::vector<uint8_t>() /* TODO(swillden): wire up input to finish() */,
signature, authToken, VerificationToken(), hidlCb));
- mOperationMap.removeOperation(token);
+ // removeOperation() will free the memory 'op' used, so the order is important
mAuthTokenTable.MarkCompleted(op.handle);
+ mOperationMap.removeOperation(token);
// just a reminder: on success result->resultCode was set in the callback. So we only overwrite
// it if there was a communication error indicated by the ErrorCode.