diff options
| author | Mike Lockwood <lockwood@android.com> | 2010-06-22 15:03:53 -0400 |
|---|---|---|
| committer | Mike Lockwood <lockwood@android.com> | 2010-06-22 16:38:01 -0400 |
| commit | 42dbfa51aefa2abe9e732b5161316deb28134759 (patch) | |
| tree | 25eb8e5bd3ab57c408c1b310290ed96376732c13 /media/mtp/MtpServer.cpp | |
| parent | dff6e6e3781de219472589e9629b75de42b624d8 (diff) | |
| download | frameworks_base-42dbfa51aefa2abe9e732b5161316deb28134759.zip frameworks_base-42dbfa51aefa2abe9e732b5161316deb28134759.tar.gz frameworks_base-42dbfa51aefa2abe9e732b5161316deb28134759.tar.bz2 | |
MTP: Use a fd instead of a file path in file transfer ioctls.
This restricts the driver to the client's permissions when copying files
to avoid potential security problems.
Change-Id: I9b3151168d334fe4374875804d4ba82bef44db3b
Signed-off-by: Mike Lockwood <lockwood@android.com>
Diffstat (limited to 'media/mtp/MtpServer.cpp')
| -rw-r--r-- | media/mtp/MtpServer.cpp | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp index 0fba4dd..a9b4ca6 100644 --- a/media/mtp/MtpServer.cpp +++ b/media/mtp/MtpServer.cpp @@ -413,14 +413,17 @@ MtpResponseCode MtpServer::doGetObjectInfo() { MtpResponseCode MtpServer::doGetObject() { MtpObjectHandle handle = mRequest.getParameter(1); - MtpString filePath; + MtpString pathBuf; int64_t fileLength; - if (!mDatabase->getObjectFilePath(handle, filePath, fileLength)) + if (!mDatabase->getObjectFilePath(handle, pathBuf, fileLength)) return MTP_RESPONSE_INVALID_OBJECT_HANDLE; + const char* filePath = (const char *)pathBuf; mtp_file_range mfr; - mfr.path = filePath; - mfr.path_length = strlen(mfr.path); + mfr.fd = open(filePath, O_RDONLY); + if (mfr.fd < 0) { + return MTP_RESPONSE_GENERAL_ERROR; + } mfr.offset = 0; mfr.length = fileLength; @@ -431,6 +434,7 @@ MtpResponseCode MtpServer::doGetObject() { // then transfer the file int ret = ioctl(mFD, MTP_SEND_FILE, (unsigned long)&mfr); + close(mfr.fd); if (ret < 0) { if (errno == ECANCELED) return MTP_RESPONSE_TRANSACTION_CANCELLED; @@ -534,13 +538,16 @@ MtpResponseCode MtpServer::doSendObject() { mData.reset(); mtp_file_range mfr; - mfr.path = (const char*)mSendObjectFilePath; - mfr.path_length = strlen(mfr.path); + mfr.fd = open(mSendObjectFilePath, O_RDWR | O_CREAT | O_TRUNC); + if (mfr.fd < 0) { + return MTP_RESPONSE_GENERAL_ERROR; + } mfr.offset = 0; mfr.length = mSendObjectFileSize; // transfer the file ret = ioctl(mFD, MTP_RECEIVE_FILE, (unsigned long)&mfr); + close(mfr.fd); // FIXME - we need to delete mSendObjectHandle from the database if this fails. printf("MTP_RECEIVE_FILE returned %d\n", ret); mSendObjectHandle = kInvalidObjectHandle; |