MTP: Use a fd instead of a file path in file transfer ioctls.
This restricts the driver to the client's permissions when copying files
to avoid potential security problems.
Change-Id: I9b3151168d334fe4374875804d4ba82bef44db3b
Signed-off-by: Mike Lockwood <lockwood@android.com>
diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp
index 0fba4dd..a9b4ca6 100644
--- a/media/mtp/MtpServer.cpp
+++ b/media/mtp/MtpServer.cpp
@@ -413,14 +413,17 @@
MtpResponseCode MtpServer::doGetObject() {
MtpObjectHandle handle = mRequest.getParameter(1);
- MtpString filePath;
+ MtpString pathBuf;
int64_t fileLength;
- if (!mDatabase->getObjectFilePath(handle, filePath, fileLength))
+ if (!mDatabase->getObjectFilePath(handle, pathBuf, fileLength))
return MTP_RESPONSE_INVALID_OBJECT_HANDLE;
+ const char* filePath = (const char *)pathBuf;
mtp_file_range mfr;
- mfr.path = filePath;
- mfr.path_length = strlen(mfr.path);
+ mfr.fd = open(filePath, O_RDONLY);
+ if (mfr.fd < 0) {
+ return MTP_RESPONSE_GENERAL_ERROR;
+ }
mfr.offset = 0;
mfr.length = fileLength;
@@ -431,6 +434,7 @@
// then transfer the file
int ret = ioctl(mFD, MTP_SEND_FILE, (unsigned long)&mfr);
+ close(mfr.fd);
if (ret < 0) {
if (errno == ECANCELED)
return MTP_RESPONSE_TRANSACTION_CANCELLED;
@@ -534,13 +538,16 @@
mData.reset();
mtp_file_range mfr;
- mfr.path = (const char*)mSendObjectFilePath;
- mfr.path_length = strlen(mfr.path);
+ mfr.fd = open(mSendObjectFilePath, O_RDWR | O_CREAT | O_TRUNC);
+ if (mfr.fd < 0) {
+ return MTP_RESPONSE_GENERAL_ERROR;
+ }
mfr.offset = 0;
mfr.length = mSendObjectFileSize;
// transfer the file
ret = ioctl(mFD, MTP_RECEIVE_FILE, (unsigned long)&mfr);
+ close(mfr.fd);
// FIXME - we need to delete mSendObjectHandle from the database if this fails.
printf("MTP_RECEIVE_FILE returned %d\n", ret);
mSendObjectHandle = kInvalidObjectHandle;