Gitiles
Code Review Sign In
review.evervolv.com / android_frameworks_av / c6588763ddc20541688e426a24b1b070527c051f^! / .
commitc6588763ddc20541688e426a24b1b070527c051f[log] [tgz]
authorMike Lockwood <lockwood@android.com>Tue Jun 22 15:03:53 2010 -0400
committerMike Lockwood <lockwood@android.com>Tue Jun 22 16:38:01 2010 -0400
tree1dd6384635a2b54dd4796952cf7e728fa570fd30
parent78c1e5ecb7a1c6474485c94276fb6c2bffebd2dc [diff]
MTP: Use a fd instead of a file path in file transfer ioctls.

This restricts the driver to the client's permissions when copying files
to avoid potential security problems.

Change-Id: I9b3151168d334fe4374875804d4ba82bef44db3b
Signed-off-by: Mike Lockwood <lockwood@android.com>

diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp
index 0fba4dd..a9b4ca6 100644
--- a/media/mtp/MtpServer.cpp
+++ b/media/mtp/MtpServer.cpp

@@ -413,14 +413,17 @@
 
 MtpResponseCode MtpServer::doGetObject() {
     MtpObjectHandle handle = mRequest.getParameter(1);
-    MtpString filePath;
+    MtpString pathBuf;
     int64_t fileLength;
-    if (!mDatabase->getObjectFilePath(handle, filePath, fileLength))
+    if (!mDatabase->getObjectFilePath(handle, pathBuf, fileLength))
         return MTP_RESPONSE_INVALID_OBJECT_HANDLE;
+    const char* filePath = (const char *)pathBuf;
 
     mtp_file_range  mfr;
-    mfr.path = filePath;
-    mfr.path_length = strlen(mfr.path);
+    mfr.fd = open(filePath, O_RDONLY);
+    if (mfr.fd < 0) {
+        return MTP_RESPONSE_GENERAL_ERROR;
+    }
     mfr.offset = 0;
     mfr.length = fileLength;
 
@@ -431,6 +434,7 @@
 
     // then transfer the file
     int ret = ioctl(mFD, MTP_SEND_FILE, (unsigned long)&mfr);
+    close(mfr.fd);
     if (ret < 0) {
         if (errno == ECANCELED)
             return MTP_RESPONSE_TRANSACTION_CANCELLED;
@@ -534,13 +538,16 @@
     mData.reset();
 
     mtp_file_range  mfr;
-    mfr.path = (const char*)mSendObjectFilePath;
-    mfr.path_length = strlen(mfr.path);
+    mfr.fd = open(mSendObjectFilePath, O_RDWR | O_CREAT | O_TRUNC);
+    if (mfr.fd < 0) {
+        return MTP_RESPONSE_GENERAL_ERROR;
+    }
     mfr.offset = 0;
     mfr.length = mSendObjectFileSize;
 
     // transfer the file
     ret = ioctl(mFD, MTP_RECEIVE_FILE, (unsigned long)&mfr);
+    close(mfr.fd);
     // FIXME - we need to delete mSendObjectHandle from the database if this fails.
     printf("MTP_RECEIVE_FILE returned %d\n", ret);
     mSendObjectHandle = kInvalidObjectHandle;

diff --git a/media/mtp/f_mtp.h b/media/mtp/f_mtp.h
index 82015a0..c1c9aef 100644
--- a/media/mtp/f_mtp.h
+++ b/media/mtp/f_mtp.h

@@ -24,10 +24,8 @@
 
 
 struct mtp_file_range {
-	/* path for file to transfer */
-	const char	*path;
-	/* strlen(path) */
-	int			path_length;
+	/* file descriptor for file to transfer */
+	int			fd;
 	/* offset in file for start of transfer */
 	loff_t  	offset;
 	/* number of bytes to transfer */