focus_server: Check symbolic link before opening a file

[Version] 0.12.58
[Issue Type] Security vulnerability

Change-Id: I84f699be4b1b6e82e33aeaf03f9181ddac9f0fbf
Signed-off-by: Sangchul Lee <sc11.lee@samsung.com>

diff --git a/focus_server/mm_sound_mgr_focus.c b/focus_server/mm_sound_mgr_focus.c
index 568b1d8..08249a0 100644 (file)
--- a/focus_server/mm_sound_mgr_focus.c
+++ b/focus_server/mm_sound_mgr_focus.c
@@ -21,6 +21,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/stat.h>
 
 #include "include/mm_sound_mgr_focus.h"
 #include "../include/mm_sound_common.h"
@@ -166,6 +167,25 @@ static int _mm_sound_mgr_focus_get_priority_from_stream_type(int *priority, cons
        return ret;
 }
 
+static int __check_file_safety(const char *file)
+{
+       struct stat ls;
+
+       if ((lstat(file, &ls) == -1) && (errno != ENOENT)) {
+               char str_error[256];
+               strerror_r(errno, str_error, sizeof(str_error));
+               debug_error("failed to lstat() (%s, err:%s)", file, str_error);
+               return -1;
+       }
+
+       if (S_ISLNK(ls.st_mode)){
+               debug_error("symbolic link is detected (%s)", file);
+               return -1;
+       }
+
+       return 0;
+}
+
 static void _invoke_watch_callback(focus_node_t *node, const char *stream_type, focus_type_e focus_type, focus_command_e command, const _mm_sound_mgr_focus_param_t *param)
 {
        int ret = -1;
@@ -204,10 +224,11 @@ static void _invoke_watch_callback(focus_node_t *node, const char *stream_type,
         *
         **************************************/
        filename = __get_focus_pipe_path(cb_data.pid, cb_data.handle, NULL, true);
-       if (filename == NULL) {
+       if (filename == NULL || __check_file_safety(filename)) {
                debug_error("[CB] failed to get watch pipe");
                goto RELEASE;
        }
+
        if ((fd_FOCUS = open(filename, O_WRONLY|O_NONBLOCK)) == -1) {
                char str_error[256];
                strerror_r(errno, str_error, sizeof(str_error));
@@ -222,7 +243,7 @@ static void _invoke_watch_callback(focus_node_t *node, const char *stream_type,
         *
         ******************************************/
         filename2 = __get_focus_pipe_path(cb_data.pid, cb_data.handle, "r", true);
-       if (filename2 == NULL) {
+       if (filename2 == NULL || __check_file_safety(filename2)) {
                debug_error("[RETCB] failed to get watch return pipe");
                goto RELEASE;
        }
@@ -459,7 +480,7 @@ int _mm_sound_mgr_focus_do_callback(focus_command_e command, focus_node_t *victi
         *
         **************************************/
        filename = __get_focus_pipe_path(cb_data.pid, cb_data.handle, NULL, false);
-       if (filename == NULL) {
+       if (filename == NULL || __check_file_safety(filename)) {
                debug_error("[CB] failed to get pipe");
                res = -1;
                goto RELEASE;
@@ -479,7 +500,7 @@ int _mm_sound_mgr_focus_do_callback(focus_command_e command, focus_node_t *victi
         *
         ******************************************/
        filename2 = __get_focus_pipe_path(cb_data.pid, cb_data.handle, "r", false);
-       if (filename2 == NULL) {
+       if (filename2 == NULL || __check_file_safety(filename2)) {
                debug_error("[RETCB] failed to get return pipe");
                res = -1;
                goto RELEASE;

diff --git a/packaging/libmm-sound.spec b/packaging/libmm-sound.spec
index 7d513ad..0b76e39 100644 (file)
--- a/packaging/libmm-sound.spec
+++ b/packaging/libmm-sound.spec
@@ -1,6 +1,6 @@
 Name:       libmm-sound
 Summary:    MMSound Package contains client lib and sound_server binary
-Version:    0.12.57
+Version:    0.12.58
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0