Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0931b108 authored by James Wei's avatar James Wei
Browse files

MTP: Sanitize filename provided from MTP host#3 

Fix string handling on file name

Bug: 130656917
Test: atest frameworks/av/media/mtp/tests
Test: Manual test: modified libmtp for long path traversal attack
Test: Manual test: normal recursive folder copy
Change-Id: Ic6cf2af860f2c5e40fd176b5f4c6d0edfac79b49
parent f29bd6bf

media/mtp/MtpServer.cpp

+2 −2
Original line number Diff line number Diff line
@@ -969,7 +969,7 @@ MtpResponseCode MtpServer::doSendObjectInfo() { 
        modifiedTime = 0;



    if ((strcmp(name, ".") == 0) || (strcmp(name, "..") == 0) ||

        (strcmp(name, "/") == 0) || (strcmp(basename(name), name) != 0)) {

        (strchr(name, '/') != NULL)) {

        char errMsg[80];



        snprintf(errMsg, sizeof(errMsg), "Invalid name: %s", (const char *) name);
@@ -981,7 +981,7 @@ MtpResponseCode MtpServer::doSendObjectInfo() { 
    }

    if (path[path.size() - 1] != '/')

        path.append("/");

    path.append(basename(name));

    path.append(name);



    // check space first

    if (mSendObjectFileSize > storage->getFreeSpace())