sync with Tizen 4.0 mtp-respondersubmit/tizen/20180716.062125 accepted/tizen/unified/20180716.185745

- Fix svace issue - Fix DDos problem Signed-off-by: Jihoon Jung <jh8801.jung@samsung.com> Change-Id: Iee8fee79f24c0ef7d7e312a4618a8af070964dfa
author: Jihoon Jung <jh8801.jung@samsung.com> 2018-07-16 13:55:41 +0900
committer: Jihoon Jung <jh8801.jung@samsung.com> 2018-07-16 13:56:07 +0900
commit: c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee (patch)
tree: 3a1172204d2e7fc9bdf6c9913a816ed4ffc72ab6
parent: 45f7b1bb0ee6bec4760ff8046f95f74a1a749428 (diff)
download: mtp-responder-c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee.tar.gz
mtp-responder-c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee.tar.bz2
mtp-responder-c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee.zip
5 files changed, 71 insertions, 18 deletions
diff --git a/packaging/mtp-responder.spec b/packaging/mtp-responder.spec
index 567671b..849f491 100755
--- a/packaging/mtp-responder.spec
+++ b/packaging/mtp-responder.spec
@@ -5,7 +5,7 @@ ExcludeArch: %arm aarch64
 
 Name:       mtp-responder
 Summary:    Media Transfer Protocol daemon (responder)
-Version:    0.0.30
+Version:    0.0.31
 Release:    1
 Group:      Network & Connectivity/Other
 License:    Apache-2.0
diff --git a/src/mtp_cmd_handler.c b/src/mtp_cmd_handler.c
index cce170e..c2e1086 100755
--- a/src/mtp_cmd_handler.c
+++ b/src/mtp_cmd_handler.c
@@ -42,6 +42,7 @@ extern pthread_mutex_t g_cmd_inoti_mutex;
 extern mtp_config_t g_conf;
 
 mtp_bool g_is_sync_estab = FALSE;
+mtp_bool g_is_send_object = FALSE;
 
 /*
  * STATIC VARIABLES
@@ -53,6 +54,8 @@ static mtp_uint16 g_count_open_session = 0;
 static mtp_uint32 g_old_open_session_time = 0;
 #endif/*MTP_USE_SKIP_CONTINUOUS_OPENSESSION*/
 
+#define LEN 20
+
 /*
  * STATIC FUNCTIONS
  */
@@ -289,6 +292,21 @@ static void __process_commands(mtp_handler_t *hdlr, cmd_blk_t *cmd)
 		 */
 		if (_device_get_phase() == DEVICE_PHASE_IDLE) {
 			DBG("DATAOUT COMMAND PHASE!!");
+			if (hdlr->usb_cmd.code == PTP_OPCODE_SENDOBJECT) {
+				mtp_char parent_path[MTP_MAX_PATHNAME_SIZE + 1] = { 0 };
+
+				if (g_mgr->ftemp_st.filepath) {
+					_util_get_parent_path(g_mgr->ftemp_st.filepath, parent_path);
+					DBG("g_mgr->ftemp_st.filepath:[%s], parent_path[%s]\n", g_mgr->ftemp_st.filepath,  parent_path);
+
+					if ((g_strcmp0(parent_path, "/tmp")) != 0)
+						g_is_send_object = TRUE;
+				}
+
+				_eh_send_event_req_to_eh_thread(EVENT_START_DATAOUT,
+					0, 0, NULL);
+			}
+
 			if (hdlr->usb_cmd.code == PTP_OPCODE_SENDOBJECT)
 				_eh_send_event_req_to_eh_thread(EVENT_START_DATAOUT,
 						0, 0, NULL);
@@ -301,6 +319,8 @@ static void __process_commands(mtp_handler_t *hdlr, cmd_blk_t *cmd)
 			break;
 		case PTP_OPCODE_SENDOBJECT:
 			__send_object(hdlr);
+			g_is_send_object = FALSE;
+
 			_eh_send_event_req_to_eh_thread(EVENT_DONE_DATAOUT,
 					0, 0, NULL);
 			break;
@@ -3266,25 +3286,57 @@ static mtp_bool __receive_temp_file_first_packet(mtp_char *data,
 		mtp_int32 data_len)
 {
 	mtp_char *filepath = g_mgr->ftemp_st.filepath;
+	temp_file_struct_t *t = &g_mgr->ftemp_st;
 	mtp_int32 error = 0;
 	mtp_uint32 *data_sz = &g_mgr->ftemp_st.data_size;
 	mtp_char *buffer = g_mgr->ftemp_st.temp_buff;
+	mtp_char buff[LEN], *ptr;
+	mtp_char filename[MTP_MAX_FILENAME_SIZE] = {0};
+	mtp_uint32 i, num, start, range;
+	unsigned int seed;
 
 	_transport_set_mtp_operation_state(MTP_STATE_DATA_TRANSFER_DL);
-	if (access(filepath, F_OK) == 0) {
+	if (!g_is_send_object) {
+		/*create a unique filename for /tmp/.mtptemp.tmp only if
+		 is_send_object = 0. If is_send_object = 0 implies t->filepath
+		 is set in send_object_proplist command to receive the
+		 incoming file */
+		start = 'A';
+		range = 'Z' - 'A';
+
+		seed = time(NULL);
+		for (ptr = buff, i = 1; i < LEN; ++ptr, ++i) {
+			num = rand_r(&seed) % range;
+			*ptr = num+start;
+		}
+		*ptr = '\0';
+
+		g_snprintf(filename, MTP_MAX_FILENAME_SIZE, "%s%s%s", "/tmp/.mtptemp", buff, ".tmp");
+
+		if (t->filepath != NULL) {
+			g_free(t->filepath);
+			t->filepath = NULL;
+		}
+
+		t->filepath = g_strdup(filename);
+	}
+
+	DBG("t->filepath :%s\n", t->filepath);
+
+	if (access(t->filepath, F_OK) == 0) {
 		if (g_mgr->ftemp_st.fhandle != NULL) {
 			_util_file_close(g_mgr->ftemp_st.fhandle);
 			g_mgr->ftemp_st.fhandle = NULL;	/* initialize */
 		}
 
-		if (remove(filepath) < 0) {
-			ERR_SECURE("remove(%s) Fail", filepath);
+		if (remove(t->filepath) < 0) {
+			ERR_SECURE("remove(%s) Fail", t->filepath);
 			__finish_receiving_file_packets(data, data_len);
 			return FALSE;
 		}
 	}
 
-	g_mgr->ftemp_st.fhandle = _util_file_open(filepath, MTP_FILE_WRITE, &error);
+	g_mgr->ftemp_st.fhandle = _util_file_open(t->filepath, MTP_FILE_WRITE, &error);
 	if (g_mgr->ftemp_st.fhandle == NULL) {
 		ERR("First file handle is invalid!!");
 		__finish_receiving_file_packets(data, data_len);
diff --git a/src/mtp_cmd_handler_util.c b/src/mtp_cmd_handler_util.c
index 8bde5db..3be88cd 100755
--- a/src/mtp_cmd_handler_util.c
+++ b/src/mtp_cmd_handler_util.c
@@ -338,7 +338,7 @@ mtp_err_t _hutil_add_object_entry(obj_info_t *obj_info, mtp_char *file_name,
 		 */
 
 		path_len = strlen(store->root_path) + strlen(MTP_TEMP_FILE) + 2;
-		g_mgr->ftemp_st.filepath = g_realloc(g_mgr->ftemp_st.filepath, path_len);
+		g_mgr->ftemp_st.filepath = (mtp_char*)g_malloc0(path_len);
 		if (g_mgr->ftemp_st.filepath == NULL) {
 			ERR("g_realloc Fail");
 			_entity_dealloc_mtp_obj(obj);
diff --git a/src/mtp_init.c b/src/mtp_init.c
index 1fca0d2..a206959 100755
--- a/src/mtp_init.c
+++ b/src/mtp_init.c
@@ -138,13 +138,6 @@ void _mtp_init(add_rem_store_t sel)
 		_device_set_sync_partner(MTP_DEV_PROPERTY_SYNCPARTNER);
 	}
 
-
-	g_mgr->ftemp_st.filepath = g_strdup(MTP_TEMP_FILE_DEFAULT);
-	if (g_mgr->ftemp_st.filepath == NULL) {
-		ERR("g_strdup() Fail");
-		goto MTP_INIT_FAIL;
-	}
-
 	if (g_mgr->ftemp_st.temp_buff == NULL) {
 		/* Allocate memory for temporary */
 		g_mgr->ftemp_st.temp_buff = (mtp_char *)g_malloc(g_conf.write_file_size);
diff --git a/src/transport/mtp_transport.c b/src/transport/mtp_transport.c
index c178c51..3e78d89 100755
--- a/src/transport/mtp_transport.c
+++ b/src/transport/mtp_transport.c
@@ -100,9 +100,14 @@ mtp_err_t _transport_rcv_temp_file_data(mtp_byte *buffer, mtp_uint32 size,
 	}
 
 	/* delete temp file, it have to be called in receive_data fn */
-	if (remove(g_mgr->ftemp_st.filepath) < 0) {
-		ERR_SECURE("remove(%s) Fail", g_mgr->ftemp_st.filepath);
-		_util_print_error();
+	if (g_mgr->ftemp_st.filepath != NULL) {
+		if (remove(g_mgr->ftemp_st.filepath) < 0) {
+			ERR_SECURE("remove(%s) Fail", g_mgr->ftemp_st.filepath);
+			_util_print_error();
+		}
+
+		g_free(g_mgr->ftemp_st.filepath);
+		g_mgr->ftemp_st.filepath = NULL;
 	}
 
 	g_mgr->ftemp_st.data_size = 0;
@@ -132,8 +137,11 @@ mtp_err_t _transport_rcv_temp_file_info(mtp_byte *buf, char *filepath,
 	g_mgr->ftemp_st.data_size = 0;
 	g_mgr->ftemp_st.data_count = 0;
 
-	g_strlcpy(g_mgr->ftemp_st.filepath, MTP_TEMP_FILE_DEFAULT,
-			MTP_MAX_PATHNAME_SIZE + 1);
+	if (g_mgr->ftemp_st.filepath != NULL) {
+		g_free(g_mgr->ftemp_st.filepath);
+		g_mgr->ftemp_st.filepath = NULL;
+	}
+
 	g_mgr->ftemp_st.fhandle = NULL;
 	g_mgr->ftemp_st.file_size = 0;
author	Jihoon Jung <jh8801.jung@samsung.com>	2018-07-16 13:55:41 +0900
committer	Jihoon Jung <jh8801.jung@samsung.com>	2018-07-16 13:56:07 +0900
commit	c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee (patch)
tree	3a1172204d2e7fc9bdf6c9913a816ed4ffc72ab6
parent	45f7b1bb0ee6bec4760ff8046f95f74a1a749428 (diff)
download	mtp-responder-c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee.tar.gz mtp-responder-c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee.tar.bz2 mtp-responder-c0158cb8bea0ec7b4db6a70d4581f9d44ac7fcee.zip