diff options
author | James Wei <jameswei@google.com> | 2019-05-28 17:18:21 +0800 |
---|---|---|
committer | James Wei <jameswei@google.com> | 2020-02-13 14:03:38 +0800 |
commit | 6111b2b92a1844f5796c718bf0736102b876c2b9 (patch) | |
tree | 4602e69e50256ce7cc852e840e990ed0b36b9492 | |
parent | 58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d (diff) | |
download | frameworks_av-6111b2b92a1844f5796c718bf0736102b876c2b9.tar.gz frameworks_av-6111b2b92a1844f5796c718bf0736102b876c2b9.tar.bz2 frameworks_av-6111b2b92a1844f5796c718bf0736102b876c2b9.zip |
MTP: Sanitize filename provided from MTP host
Fix potential security vulnerability via MTP path traversal
Bug: 130656917
Test: atest frameworks/av/media/mtp/tests
Test: Manual test: modified libmtp for path traversal attack
Test: Manual test: normal recursive folder copy
Note: Also patched with 68ccf5c (b/135764253)
Change-Id: I467e1e6a76d09951050f7f45e5a63419e540c572
(cherry picked from commit e783e4b24b9e4080e50c50d62a24bcbfabb3e03d)
Merged-In: I467e1e6a76d09951050f7f45e5a63419e540c572
-rw-r--r-- | media/mtp/MtpServer.cpp | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp index ca8cb785e9..dd69496160 100644 --- a/media/mtp/MtpServer.cpp +++ b/media/mtp/MtpServer.cpp @@ -44,6 +44,7 @@ #include "MtpStringBuffer.h" namespace android { +static const int SN_EVENT_LOG_ID = 0x534e4554; static const MtpOperationCode kSupportedOperationCodes[] = { MTP_OPERATION_GET_DEVICE_INFO, @@ -961,6 +962,17 @@ MtpResponseCode MtpServer::doSendObjectInfo() { if (!parseDateTime(modified, modifiedTime)) modifiedTime = 0; + if ((strcmp(name, ".") == 0) || (strcmp(name, "..") == 0) || + (strchr(name, '/') != NULL)) { + char errMsg[80]; + + snprintf(errMsg, sizeof(errMsg), "Invalid name: %s", (const char *) name); + ALOGE("%s (b/130656917)", errMsg); + android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "130656917", -1, errMsg, + strlen(errMsg)); + + return MTP_RESPONSE_INVALID_PARAMETER; + } if (path[path.size() - 1] != '/') path.append("/"); path.append(name); |