[automerger] Remove potential double free am: 9d4b635922 am: 85e5167178 am: 4dd7a24475 am: 0573a65f08 am: 93ba1512a8 am: aafa29b59c am: 564b0eae9f am: f68302d93b
am: 10f9d7dbe3
Change-Id: Ie86350d857d4b51e5b4c77d56208459f09d0e73d
diff --git a/gatekeeper.cpp b/gatekeeper.cpp
index fe427bd..9097491 100644
--- a/gatekeeper.cpp
+++ b/gatekeeper.cpp
@@ -37,6 +37,10 @@
// Password handle does not match what is stored, generate new SecureID
GetRandom(&user_id, sizeof(secure_id_t));
} else {
+ if (request.password_handle.length < sizeof(password_handle_t)) {
+ response->error = ERROR_INVALID;
+ return;
+ }
password_handle_t *pw_handle =
reinterpret_cast<password_handle_t *>(request.password_handle.buffer.get());
@@ -109,6 +113,11 @@
return;
}
+ if (request.password_handle.length < sizeof(password_handle_t)) {
+ response->error = ERROR_INVALID;
+ return;
+ }
+
password_handle_t *password_handle = reinterpret_cast<password_handle_t *>(
request.password_handle.buffer.get());
@@ -232,7 +241,7 @@
token->challenge = challenge;
token->user_id = user_id;
token->authenticator_id = authenticator_id;
- token->authenticator_type = htonl(HW_AUTH_PASSWORD);
+ token->authenticator_type = htobe32(HW_AUTH_PASSWORD);
token->timestamp = htobe64(timestamp);
const uint8_t *auth_token_key = NULL;
@@ -253,11 +262,11 @@
* Calculates the timeout in milliseconds as a function of the failure
* counter 'x' as follows:
*
- * [0. 5) -> 0
+ * [0, 4] -> 0
* 5 -> 30
- * [6, 10) -> 0
- * [11, 30) -> 30
- * [30, 140) -> 30 * (2^((x - 30)/10))
+ * [6, 10] -> 0
+ * [11, 29] -> 30
+ * [30, 139] -> 30 * (2^((x - 30)/10))
* [140, inf) -> 1 day
*
*/
diff --git a/gatekeeper_messages.cpp b/gatekeeper_messages.cpp
index d6d028d..dfa9b18 100644
--- a/gatekeeper_messages.cpp
+++ b/gatekeeper_messages.cpp
@@ -103,18 +103,21 @@
}
gatekeeper_error_t GateKeeperMessage::Deserialize(const uint8_t *payload, const uint8_t *end) {
- if (payload + sizeof(uint32_t) > end) return ERROR_INVALID;
+ if (payload + sizeof(serial_header_t) > end) return ERROR_INVALID;
const serial_header_t *header = reinterpret_cast<const serial_header_t *>(payload);
+ payload += sizeof(serial_header_t);
+ user_id = header->user_id;
if (header->error == ERROR_NONE) {
- if (payload == end) return ERROR_INVALID;
- user_id = header->user_id;
- error = nonErrorDeserialize(payload + sizeof(*header), end);
+ error = nonErrorDeserialize(payload, end);
} else {
error = static_cast<gatekeeper_error_t>(header->error);
- user_id = header->user_id;
if (error == ERROR_RETRY) {
- if (payload + sizeof(serial_header_t) < end) {
- memcpy(&retry_timeout, payload + sizeof(serial_header_t), sizeof(retry_timeout));
+ if (payload < end) {
+ if (payload + sizeof(retry_timeout) <= end) {
+ memcpy(&retry_timeout, payload, sizeof(retry_timeout));
+ } else {
+ error = ERROR_INVALID;
+ }
} else {
retry_timeout = 0;
}
@@ -179,6 +182,9 @@
provided_password.buffer.reset();
}
+ if (payload + sizeof(challenge) > end) {
+ return ERROR_INVALID;
+ }
memcpy(&challenge, payload, sizeof(challenge));
payload += sizeof(challenge);
@@ -231,6 +237,10 @@
return err;
}
+ if (payload + sizeof(request_reenroll) > end) {
+ return ERROR_INVALID;
+ }
+
memcpy(&request_reenroll, payload, sizeof(request_reenroll));
return ERROR_NONE;
}
diff --git a/rules.mk b/rules.mk
index 46f3df8..831c05a 100644
--- a/rules.mk
+++ b/rules.mk
@@ -14,7 +14,6 @@
$(LOCAL_DIR)/../../hardware/libhardware/include
MODULE_DEPS := \
- lib/libc \
- lib/libc-trusty \
+ trusty/user/base/lib/libc-trusty \
include make/module.mk
diff --git a/tests/gatekeeper_device_test.cpp b/tests/gatekeeper_device_test.cpp
index 0e7ace6..f166ca8 100644
--- a/tests/gatekeeper_device_test.cpp
+++ b/tests/gatekeeper_device_test.cpp
@@ -98,7 +98,7 @@
hat = reinterpret_cast<hw_auth_token_t *>(auth_token);
ASSERT_EQ(HW_AUTH_TOKEN_VERSION, hat->version);
- ASSERT_EQ(htonl(HW_AUTH_PASSWORD), hat->authenticator_type);
+ ASSERT_EQ(htobe32(HW_AUTH_PASSWORD), hat->authenticator_type);
}
TEST_F(GateKeeperDeviceTest, EnrollAndVerifyTimeout) {