MTP: Sanitize filename provided from MTP host

Fix potential security vulnerability via MTP path traversal Bug: 130656917 Test: atest frameworks/av/media/mtp/tests Test: Manual test: modified libmtp for path traversal attack Test: Manual test: normal recursive folder copy Note: Also patched with 68ccf5c (b/135764253) Change-Id: I467e1e6a76d09951050f7f45e5a63419e540c572 (cherry picked from commit e783e4b24b) Merged-In: I467e1e6a76d09951050f7f45e5a63419e540c572
5 years ago · 6111b2b92a
parent 58cc8f2c02
commit 6111b2b92a
1 changed files with 12 additions and 0 deletions
--- a/media/mtp/MtpServer.cpp
+++ b/media/mtp/MtpServer.cpp
@ -44,6 +44,7 @@
 #include "MtpStringBuffer.h"

 namespace android {
+static const int SN_EVENT_LOG_ID = 0x534e4554;

 static const MtpOperationCode kSupportedOperationCodes[] = {
    MTP_OPERATION_GET_DEVICE_INFO,
@ -961,6 +962,17 @@ MtpResponseCode MtpServer::doSendObjectInfo() {
    if (!parseDateTime(modified, modifiedTime))
        modifiedTime = 0;

+    if ((strcmp(name, ".") == 0) || (strcmp(name, "..") == 0) ||
+        (strchr(name, '/') != NULL)) {
+        char errMsg[80];
+
+        snprintf(errMsg, sizeof(errMsg), "Invalid name: %s", (const char *) name);
+        ALOGE("%s (b/130656917)", errMsg);
+        android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "130656917", -1, errMsg,
+                                      strlen(errMsg));
+
+        return MTP_RESPONSE_INVALID_PARAMETER;
+    }
    if (path[path.size() - 1] != '/')
        path.append("/");
    path.append(name);