Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 42dbfa51 authored by Mike Lockwood's avatar Mike Lockwood
Browse files

MTP: Use a fd instead of a file path in file transfer ioctls. 



This restricts the driver to the client's permissions when copying files
to avoid potential security problems.

Change-Id: I9b3151168d334fe4374875804d4ba82bef44db3b
Signed-off-by: default avatarMike Lockwood <lockwood@android.com>
parent dff6e6e3

media/mtp/MtpServer.cpp

+13 −6
Original line number Diff line number Diff line
@@ -413,14 +413,17 @@ MtpResponseCode MtpServer::doGetObjectInfo() { 


MtpResponseCode MtpServer::doGetObject() {

    MtpObjectHandle handle = mRequest.getParameter(1);

    MtpString filePath;

    MtpString pathBuf;

    int64_t fileLength;

    if (!mDatabase->getObjectFilePath(handle, filePath, fileLength))

    if (!mDatabase->getObjectFilePath(handle, pathBuf, fileLength))

        return MTP_RESPONSE_INVALID_OBJECT_HANDLE;

    const char* filePath = (const char *)pathBuf;



    mtp_file_range  mfr;

    mfr.path = filePath;

    mfr.path_length = strlen(mfr.path);

    mfr.fd = open(filePath, O_RDONLY);

    if (mfr.fd < 0) {

        return MTP_RESPONSE_GENERAL_ERROR;

    }

    mfr.offset = 0;

    mfr.length = fileLength;
@@ -431,6 +434,7 @@ MtpResponseCode MtpServer::doGetObject() { 


    // then transfer the file

    int ret = ioctl(mFD, MTP_SEND_FILE, (unsigned long)&mfr);

    close(mfr.fd);

    if (ret < 0) {

        if (errno == ECANCELED)

            return MTP_RESPONSE_TRANSACTION_CANCELLED;
@@ -534,13 +538,16 @@ MtpResponseCode MtpServer::doSendObject() { 
    mData.reset();



    mtp_file_range  mfr;

    mfr.path = (const char*)mSendObjectFilePath;

    mfr.path_length = strlen(mfr.path);

    mfr.fd = open(mSendObjectFilePath, O_RDWR | O_CREAT | O_TRUNC);

    if (mfr.fd < 0) {

        return MTP_RESPONSE_GENERAL_ERROR;

    }

    mfr.offset = 0;

    mfr.length = mSendObjectFileSize;



    // transfer the file

    ret = ioctl(mFD, MTP_RECEIVE_FILE, (unsigned long)&mfr);

    close(mfr.fd);

    // FIXME - we need to delete mSendObjectHandle from the database if this fails.

    printf("MTP_RECEIVE_FILE returned %d\n", ret);

    mSendObjectHandle = kInvalidObjectHandle;

media/mtp/f_mtp.h

+2 −4
Original line number Diff line number Diff line
@@ -24,10 +24,8 @@ 




struct mtp_file_range {

	/* path for file to transfer */

	const char	*path;

	/* strlen(path) */

	int			path_length;

	/* file descriptor for file to transfer */

	int			fd;

	/* offset in file for start of transfer */

	loff_t  	offset;

	/* number of bytes to transfer */