Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e783e4b2 authored by James Wei's avatar James Wei
Browse files

MTP: Sanitize filename provided from MTP host 

Fix potential security vulnerability via MTP path traversal

Bug: 130656917
Test: atest frameworks/av/media/mtp/tests
Test: Manual test: modified libmtp for path traversal attack
Test: Manual test: normal recursive folder copy
Change-Id: I467e1e6a76d09951050f7f45e5a63419e540c572
parent 8b43461c

media/mtp/MtpServer.cpp

+13 −1
Original line number Diff line number Diff line
@@ -44,6 +44,7 @@ 
#include "MtpStringBuffer.h"



namespace android {

static const int SN_EVENT_LOG_ID = 0x534e4554;



static const MtpOperationCode kSupportedOperationCodes[] = {

    MTP_OPERATION_GET_DEVICE_INFO,
@@ -961,9 +962,20 @@ MtpResponseCode MtpServer::doSendObjectInfo() { 
    if (!parseDateTime(modified, modifiedTime))

        modifiedTime = 0;



    if ((strcmp(name, ".") == 0) || (strcmp(name, "..") == 0) ||

        (strcmp(name, "/") == 0) || (strcmp(basename(name), name) != 0)) {

        char errMsg[80];



        sprintf(errMsg, "Invalid name: %s", (const char *) name);

        ALOGE("%s (b/130656917)", errMsg);

        android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "130656917", -1, errMsg,

                                      strlen(errMsg));



        return MTP_RESPONSE_INVALID_PARAMETER;

    }

    if (path[path.size() - 1] != '/')

        path.append("/");

    path.append(name);

    path.append(basename(name));



    // check space first

    if (mSendObjectFileSize > storage->getFreeSpace())