diff options
author | Mike Lockwood <lockwood@android.com> | 2010-06-22 15:03:53 -0400 |
---|---|---|
committer | Mike Lockwood <lockwood@android.com> | 2010-06-22 16:38:01 -0400 |
commit | 42dbfa51aefa2abe9e732b5161316deb28134759 (patch) | |
tree | 25eb8e5bd3ab57c408c1b310290ed96376732c13 /media/mtp | |
parent | dff6e6e3781de219472589e9629b75de42b624d8 (diff) | |
download | frameworks_base-42dbfa51aefa2abe9e732b5161316deb28134759.zip frameworks_base-42dbfa51aefa2abe9e732b5161316deb28134759.tar.gz frameworks_base-42dbfa51aefa2abe9e732b5161316deb28134759.tar.bz2 |
MTP: Use a fd instead of a file path in file transfer ioctls.
This restricts the driver to the client's permissions when copying files
to avoid potential security problems.
Change-Id: I9b3151168d334fe4374875804d4ba82bef44db3b
Signed-off-by: Mike Lockwood <lockwood@android.com>
Diffstat (limited to 'media/mtp')
-rw-r--r-- | media/mtp/MtpServer.cpp | 19 | ||||
-rw-r--r-- | media/mtp/f_mtp.h | 6 |
2 files changed, 15 insertions, 10 deletions
diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp index 0fba4dd..a9b4ca6 100644 --- a/media/mtp/MtpServer.cpp +++ b/media/mtp/MtpServer.cpp @@ -413,14 +413,17 @@ MtpResponseCode MtpServer::doGetObjectInfo() { MtpResponseCode MtpServer::doGetObject() { MtpObjectHandle handle = mRequest.getParameter(1); - MtpString filePath; + MtpString pathBuf; int64_t fileLength; - if (!mDatabase->getObjectFilePath(handle, filePath, fileLength)) + if (!mDatabase->getObjectFilePath(handle, pathBuf, fileLength)) return MTP_RESPONSE_INVALID_OBJECT_HANDLE; + const char* filePath = (const char *)pathBuf; mtp_file_range mfr; - mfr.path = filePath; - mfr.path_length = strlen(mfr.path); + mfr.fd = open(filePath, O_RDONLY); + if (mfr.fd < 0) { + return MTP_RESPONSE_GENERAL_ERROR; + } mfr.offset = 0; mfr.length = fileLength; @@ -431,6 +434,7 @@ MtpResponseCode MtpServer::doGetObject() { // then transfer the file int ret = ioctl(mFD, MTP_SEND_FILE, (unsigned long)&mfr); + close(mfr.fd); if (ret < 0) { if (errno == ECANCELED) return MTP_RESPONSE_TRANSACTION_CANCELLED; @@ -534,13 +538,16 @@ MtpResponseCode MtpServer::doSendObject() { mData.reset(); mtp_file_range mfr; - mfr.path = (const char*)mSendObjectFilePath; - mfr.path_length = strlen(mfr.path); + mfr.fd = open(mSendObjectFilePath, O_RDWR | O_CREAT | O_TRUNC); + if (mfr.fd < 0) { + return MTP_RESPONSE_GENERAL_ERROR; + } mfr.offset = 0; mfr.length = mSendObjectFileSize; // transfer the file ret = ioctl(mFD, MTP_RECEIVE_FILE, (unsigned long)&mfr); + close(mfr.fd); // FIXME - we need to delete mSendObjectHandle from the database if this fails. printf("MTP_RECEIVE_FILE returned %d\n", ret); mSendObjectHandle = kInvalidObjectHandle; diff --git a/media/mtp/f_mtp.h b/media/mtp/f_mtp.h index 82015a0..c1c9aef 100644 --- a/media/mtp/f_mtp.h +++ b/media/mtp/f_mtp.h @@ -24,10 +24,8 @@ struct mtp_file_range { - /* path for file to transfer */ - const char *path; - /* strlen(path) */ - int path_length; + /* file descriptor for file to transfer */ + int fd; /* offset in file for start of transfer */ loff_t offset; /* number of bytes to transfer */ |