From: Hyihong Chae Date: Mon, 24 Apr 2017 09:03:52 +0000 (+0900) Subject: fix security issue(TSAM-13252) X-Git-Tag: accepted/tizen/3.0/common/20170508.153020~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F07%2F126607%2F1;p=platform%2Fcore%2Fconnectivity%2Fmtp-responder.git fix security issue(TSAM-13252) Change-Id: I722966e0e1ce9a27bd90352fdda05425990804e6 Signed-off-by: HyiHong Chae --- diff --git a/include/util/mtp_support.h b/include/util/mtp_support.h index b0cc9c4..a67325b 100755 --- a/include/util/mtp_support.h +++ b/include/util/mtp_support.h @@ -54,5 +54,6 @@ void _util_get_parent_path(const mtp_char *fullpath, mtp_char *p_path); void _util_conv_wstr_to_guid(mtp_wchar *wstr, mtp_uint64 *guid); mtp_bool _util_get_unique_dir_path(const mtp_char *exist_path, mtp_char *new_path, mtp_uint32 new_path_buf_len); +mtp_int32 _util_system_cmd_wait(const mtp_char *cmd); #endif /* _MTP_SUPPORT_H_ */ diff --git a/packaging/mtp-responder.spec b/packaging/mtp-responder.spec index bf0299d..8317525 100755 --- a/packaging/mtp-responder.spec +++ b/packaging/mtp-responder.spec @@ -5,7 +5,7 @@ ExcludeArch: %arm aarch64 Name: mtp-responder Summary: Media Transfer Protocol daemon (responder) -Version: 0.0.22 +Version: 0.0.24 Release: 1 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/src/entity/mtp_object.c b/src/entity/mtp_object.c index 358af3c..d8279e5 100755 --- a/src/entity/mtp_object.c +++ b/src/entity/mtp_object.c @@ -507,6 +507,7 @@ mtp_bool _entity_check_child_obj_path(mtp_obj_t *obj, if (_util_is_file_opened(child_obj->file_path) == TRUE) { ERR_SECURE("File [%s] is already opened\n", child_obj->file_path); + _prop_deinit_ptparray(&child_arr); return FALSE; } diff --git a/src/entity/mtp_store.c b/src/entity/mtp_store.c index 7297d8b..c3ae8ac 100755 --- a/src/entity/mtp_store.c +++ b/src/entity/mtp_store.c @@ -1199,7 +1199,8 @@ void _entity_list_modified_files(mtp_uint32 minutes) inter_path, minutes, MTP_FILES_MODIFIED_FILES); DBG("find query is [%s]\n", command); - ret = system(command); + ret = _util_system_cmd_wait(command); + if (WIFSIGNALED(ret) && (WTERMSIG(ret) == SIGINT || WTERMSIG(ret) == SIGQUIT)) { @@ -1215,7 +1216,8 @@ void _entity_list_modified_files(mtp_uint32 minutes) ext_path, minutes, MTP_FILES_MODIFIED_FILES); DBG("find query is [%s]\n", command); - ret = system(command); + ret = _util_system_cmd_wait(command); + if (WIFSIGNALED(ret) && (WTERMSIG(ret) == SIGINT || WTERMSIG(ret) == SIGQUIT)) { diff --git a/src/transport/mtp_transport.c b/src/transport/mtp_transport.c index 3eee08b..7c73bbd 100755 --- a/src/transport/mtp_transport.c +++ b/src/transport/mtp_transport.c @@ -419,6 +419,7 @@ void _transport_usb_finalize(void) sizeof(msgq_ptr_t) - sizeof(long), 0)) { ERR("_util_msgq_send() Fail"); } + g_free(pkt.buffer); res = _util_thread_join(g_data_rcv, &th_result); if (res == FALSE) diff --git a/src/util/mtp_support.c b/src/util/mtp_support.c index 83108d6..131939c 100755 --- a/src/util/mtp_support.c +++ b/src/util/mtp_support.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "mtp_support.h" #include "ptp_datacodes.h" #include "mtp_util.h" @@ -643,3 +644,38 @@ SUCCESS: DBG_SECURE("Unique dir name[%s]\n", new_path); return TRUE; } + +mtp_int32 _util_system_cmd_wait(const mtp_char *cmd) +{ + + int pid = 0; + int status = 0; + + if (cmd == NULL) + return -1; + + pid = fork(); + + if (pid == -1) + return -1; + + if (pid == 0) { + char *argv[4]; + argv[0] = "sh"; + argv[1] = "-c"; + argv[2] = (char*)cmd; + argv[3] = 0; + execv("/bin/sh", argv); + exit(127); + } + + do { + if (waitpid(pid, &status, 0) == -1) { + if (errno != EINTR) + return -1; + } else { + return status; + } + } while(1); +} +