commit 6111b2b92a1844f5796c718bf0736102b876c2b9
author James Wei <jameswei@google.com> Tue May 28 17:18:21 2019 +0800
committer James Wei <jameswei@google.com> Thu Feb 13 14:03:38 2020 +0800
tree 4602e69e50256ce7cc852e840e990ed0b36b9492
parent 58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d

MTP: Sanitize filename provided from MTP host

Fix potential security vulnerability via MTP path traversal

Bug: 130656917
Test: atest frameworks/av/media/mtp/tests
Test: Manual test: modified libmtp for path traversal attack
Test: Manual test: normal recursive folder copy
Note: Also patched with 68ccf5c (b/135764253)
Change-Id: I467e1e6a76d09951050f7f45e5a63419e540c572
(cherry picked from commit e783e4b24b9e4080e50c50d62a24bcbfabb3e03d)
Merged-In: I467e1e6a76d09951050f7f45e5a63419e540c572

media/mtp/MtpServer.cpp

diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp
index ca8cb78..dd69496 100644
--- a/media/mtp/MtpServer.cpp
+++ b/media/mtp/MtpServer.cpp
@@ -44,6 +44,7 @@
 #include "MtpStringBuffer.h"
 
 namespace android {
+static const int SN_EVENT_LOG_ID = 0x534e4554;
 
 static const MtpOperationCode kSupportedOperationCodes[] = {
     MTP_OPERATION_GET_DEVICE_INFO,
@@ -961,6 +962,17 @@
     if (!parseDateTime(modified, modifiedTime))
         modifiedTime = 0;
 
+    if ((strcmp(name, ".") == 0) || (strcmp(name, "..") == 0) ||
+        (strchr(name, '/') != NULL)) {
+        char errMsg[80];
+
+        snprintf(errMsg, sizeof(errMsg), "Invalid name: %s", (const char *) name);
+        ALOGE("%s (b/130656917)", errMsg);
+        android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "130656917", -1, errMsg,
+                                      strlen(errMsg));
+
+        return MTP_RESPONSE_INVALID_PARAMETER;
+    }
     if (path[path.size() - 1] != '/')
         path.append("/");
     path.append(name);