From: Sangchul Lee Date: Mon, 13 Jan 2020 03:40:26 +0000 (+0900) Subject: focus_server: Check symbolic link before opening a file X-Git-Tag: accepted/tizen/unified/20200114.130704~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;ds=sidebyside;h=134424eeb5f9d76cf93ee434649c36535e473fb5;p=platform%2Fcore%2Fmultimedia%2Flibmm-sound.git focus_server: Check symbolic link before opening a file [Version] 0.12.58 [Issue Type] Security vulnerability Change-Id: I84f699be4b1b6e82e33aeaf03f9181ddac9f0fbf Signed-off-by: Sangchul Lee --- diff --git a/focus_server/mm_sound_mgr_focus.c b/focus_server/mm_sound_mgr_focus.c index 568b1d8..08249a0 100644 --- a/focus_server/mm_sound_mgr_focus.c +++ b/focus_server/mm_sound_mgr_focus.c @@ -21,6 +21,7 @@ #include #include +#include #include "include/mm_sound_mgr_focus.h" #include "../include/mm_sound_common.h" @@ -166,6 +167,25 @@ static int _mm_sound_mgr_focus_get_priority_from_stream_type(int *priority, cons return ret; } +static int __check_file_safety(const char *file) +{ + struct stat ls; + + if ((lstat(file, &ls) == -1) && (errno != ENOENT)) { + char str_error[256]; + strerror_r(errno, str_error, sizeof(str_error)); + debug_error("failed to lstat() (%s, err:%s)", file, str_error); + return -1; + } + + if (S_ISLNK(ls.st_mode)){ + debug_error("symbolic link is detected (%s)", file); + return -1; + } + + return 0; +} + static void _invoke_watch_callback(focus_node_t *node, const char *stream_type, focus_type_e focus_type, focus_command_e command, const _mm_sound_mgr_focus_param_t *param) { int ret = -1; @@ -204,10 +224,11 @@ static void _invoke_watch_callback(focus_node_t *node, const char *stream_type, * **************************************/ filename = __get_focus_pipe_path(cb_data.pid, cb_data.handle, NULL, true); - if (filename == NULL) { + if (filename == NULL || __check_file_safety(filename)) { debug_error("[CB] failed to get watch pipe"); goto RELEASE; } + if ((fd_FOCUS = open(filename, O_WRONLY|O_NONBLOCK)) == -1) { char str_error[256]; strerror_r(errno, str_error, sizeof(str_error)); @@ -222,7 +243,7 @@ static void _invoke_watch_callback(focus_node_t *node, const char *stream_type, * ******************************************/ filename2 = __get_focus_pipe_path(cb_data.pid, cb_data.handle, "r", true); - if (filename2 == NULL) { + if (filename2 == NULL || __check_file_safety(filename2)) { debug_error("[RETCB] failed to get watch return pipe"); goto RELEASE; } @@ -459,7 +480,7 @@ int _mm_sound_mgr_focus_do_callback(focus_command_e command, focus_node_t *victi * **************************************/ filename = __get_focus_pipe_path(cb_data.pid, cb_data.handle, NULL, false); - if (filename == NULL) { + if (filename == NULL || __check_file_safety(filename)) { debug_error("[CB] failed to get pipe"); res = -1; goto RELEASE; @@ -479,7 +500,7 @@ int _mm_sound_mgr_focus_do_callback(focus_command_e command, focus_node_t *victi * ******************************************/ filename2 = __get_focus_pipe_path(cb_data.pid, cb_data.handle, "r", false); - if (filename2 == NULL) { + if (filename2 == NULL || __check_file_safety(filename2)) { debug_error("[RETCB] failed to get return pipe"); res = -1; goto RELEASE; diff --git a/packaging/libmm-sound.spec b/packaging/libmm-sound.spec index 7d513ad..0b76e39 100644 --- a/packaging/libmm-sound.spec +++ b/packaging/libmm-sound.spec @@ -1,6 +1,6 @@ Name: libmm-sound Summary: MMSound Package contains client lib and sound_server binary -Version: 0.12.57 +Version: 0.12.58 Release: 0 Group: System/Libraries License: Apache-2.0