cryptsetup-pkcs11: use erase_and_free for decrypted key cleanup.

It's hard to hit but it could leave decrypted key in memory on error
path.

diff --git a/src/cryptsetup/cryptsetup-pkcs11.c b/src/cryptsetup/cryptsetup-pkcs11.c
index 67adf923cc064e512ee8b7db0410ea09678ea331..e743f10151be0f46590c585097d9235f4e0bc695 100644 (file)
--- a/src/cryptsetup/cryptsetup-pkcs11.c
+++ b/src/cryptsetup/cryptsetup-pkcs11.c
@@ -36,7 +36,7 @@ struct pkcs11_callback_data {
 };
 
 static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) {
-        free(data->decrypted_key);
+        erase_and_free(data->decrypted_key);
 
         if (data->free_encrypted_key)
                 free(data->encrypted_key);