- 08 6月, 2019 1 次提交
-
-
由 Bandan Das 提交于
There's no functional change but the flow is (hopefully) more consistent for both file and folder object types. Signed-off-by: NBandan Das <bsd@redhat.com> Message-Id: <20190401211712.19012-4-bsd@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 02 5月, 2019 3 次提交
-
-
由 Bandan Das 提交于
Commit c5ead51f (usb-mtp: return incomplete transfer on a lstat failure) checks if lstat succeeded when updating attributes of a file. However, it also changed behavior to return an error by default. This is incorrect because for smaller file sizes, Qemu will attempt to write the file in one go and there won't be an object for it. Fixes: c5ead51fSigned-off-by: NBandan Das <bsd@redhat.com> Message-id: jpgwojv9pwv.fsf@linux.bootlegged.copy Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Daniel P. Berrangé 提交于
The ObjectInfo struct's "filename" field is following a uint8_t field in a packed struct and thus has bad alignment for a 16-bit field. Switch the field to to uint8_t and use the helper function for accessing unaligned 16-bit data. Note that although the MTP spec specifies big endian, when transported over the USB protocol, data is little endian. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> Message-id: 20190415154503.6758-4-berrange@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Daniel P. Berrangé 提交于
The ObjectInfo 'length' field provides the length of the wide character string filename. This is then converted to a multi-byte character string. This may have a different byte count to the wide character string. We should use the C string length of the multi-byte string instead. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> Message-id: 20190415154503.6758-2-berrange@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 17 4月, 2019 1 次提交
-
-
由 Daniel P. Berrangé 提交于
The ObjectInfo struct has a variable length array containing the UTF-16 encoded filename. The number of characters of trailing data is given by the 'length' field in the struct and this must be validated against the size of the data packet received from the guest. Since the data is UTF-16, we must convert the byte count we have to a character count before validating. This must take care to truncate if a malicious guest sent an odd number of bytes. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NBandan Das <bsd@redhat.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 02 4月, 2019 3 次提交
-
-
由 Daniel P. Berrangé 提交于
Watch IDs are allocated from incrementing a int counter against the QFileMonitor object. In very long life QEMU processes with a huge amount of USB MTP activity creating & deleting directories it is just about conceivable that the int counter can wrap around. This would result in incorrect behaviour of the file monitor watch APIs due to clashing watch IDs. Instead of trying to detect this situation, this patch changes the way watch IDs are allocated. It is turned into an int64_t variable where the high 32 bits are set from the underlying inotify "int" ID. This gives an ID that is guaranteed unique for the directory as a whole, and we can rely on the kernel to enforce this. QFileMonitor then sets the low 32 bits from a per-directory counter. The USB MTP device only sets watches on the directory as a whole, not files within, so there is no risk of guest triggered wrap around on the low 32 bits. Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Bandan Das 提交于
This function is used in the delete path only and can be replaced by a call to usb_mtp_object_free. Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NBandan Das <bsd@redhat.com> Message-Id: <20190401211712.19012-3-bsd@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
Spotted by Coverity: CID 1399414 mtp delete allows the return status of delete succeeded, partial_delete or readonly - when none of the objects could be deleted. Give more meaningful names to return values of the delete function. Some initiators recurse over the objects themselves. In that case, only READ_ONLY can be returned. Signed-off-by: NBandan Das <bsd@redhat.com> Message-Id: <20190401211712.19012-2-bsd@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 07 3月, 2019 3 次提交
-
-
由 Bandan Das 提交于
Spotted by Coverity: CID 1399144 Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20190306210409.14842-4-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
During a write, free up the "path" before getting more data. Also, while we at it, remove the confusing usage of d->fd for storing mkdir status Spotted by Coverity: CID 1398642 Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20190306210409.14842-3-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
MTP writes objects in small chunks and at the end gets the real file size to update the object metadata. If this fails for any reason, return an INCOMPLETE_TRANSFER to the initiator Spotted by Coverity: CID 1398651 Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20190306210409.14842-2-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 26 2月, 2019 3 次提交
-
-
由 Daniel P. Berrangé 提交于
The internal inotify APIs allow a lot of conditional statements to be cleared out, and provide a simpler callback for handling events. Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Various functions accepting 'char *' string parameters were missing 'const' qualifiers. Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
IN_ISDIR is not a bit that one can request when registering a watch with inotify_add_watch. Rather it is a bit that is set automatically when reading events from the kernel. Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 30 1月, 2019 4 次提交
-
-
由 Bandan Das 提交于
qemu_write_full takes care of partial blocking writes, as in cases of larger file sizes Suggested-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20190129131908.27924-4-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
For every MTP_WRITE_BUF_SZ copied, this patch writes it to file before getting the next block of data. The file is kept opened for the duration of the operation but the sanity checks on the write operation are performed only once when the write operation starts. Additionally, we also update the file size in the object metadata once the file has completely been written. Suggested-by: NGerd Hoffman <kraxel@redhat.com> Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20190129131908.27924-3-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
This is a "pre-patch" to breaking up the write buffer for MTP writes. Instead of allocating a mtp buffer equal to size sent by the initiator, we start with a small size and reallocate multiples (of that small size) as needed. Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20190129131908.27924-2-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Li Qiang 提交于
Spotted by Coverity: CID 1397070 Signed-off-by: NLi Qiang <liq3ea@163.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20190103133113.49599-1-liq3ea@163.com [ kraxel: dropped chunk which adds close() after successful fdopendir() call, that is not needed according to POSIX even though Coverity flags it as bug ] Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 11 1月, 2019 1 次提交
-
-
由 Paolo Bonzini 提交于
The new definition of QTAILQ does not require passing the headname, remove it. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 08 1月, 2019 1 次提交
-
-
由 Li Qiang 提交于
Spotted by Coverity: CID 1397074 Fixes: c52d46e0Signed-off-by: NLi Qiang <liq3ea@163.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20190103132605.49476-1-liq3ea@163.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 14 12月, 2018 2 次提交
-
-
由 Michael Hanselmann 提交于
The filename length in MTP metadata is specified by the guest. By trusting it directly it'd theoretically be possible to get the host to write memory parts outside the filename buffer into a filename. In practice though there are usually NUL bytes stopping the string operations. Also use the opportunity to not assign the filename member twice. Signed-off-by: NMichael Hanselmann <public@hansmi.ch> Message-id: ab70659d8d5c580bdf150a5f7d5cc60c8e374ffc.1544740018.git.public@hansmi.ch [ kraxel: codestyle fix: break a long line ] Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
Open files and directories with O_NOFOLLOW to avoid symlinks attacks. While being at it also add O_CLOEXEC. usb-mtp only handles regular files and directories and ignores everything else, so users should not see a difference. Because qemu ignores symlinks, carrying out a successful symlink attack requires swapping an existing file or directory below rootdir for a symlink and winning the race against the inotify notification to qemu. Fixes: CVE-2018-16872 Cc: Prasad J Pandit <ppandit@redhat.com> Cc: Bandan Das <bsd@redhat.com> Reported-by: NMichael Hanselmann <public@hansmi.ch> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NMichael Hanselmann <public@hansmi.ch> Message-id: 20181213122511.13853-1-kraxel@redhat.com
-
- 04 12月, 2018 2 次提交
-
-
由 Gerd Hoffmann 提交于
Slash is unix directory separator, so they are not allowed in filenames. Note this also stops the classic escape via "../". Fixes: CVE-2018-16867 Reported-by: NMichael Hanselmann <public@hansmi.ch> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20181203101045.27976-3-kraxel@redhat.com
-
由 Gerd Hoffmann 提交于
Make utf16_to_str return an allocated string. Remove the assumtion that the number of string bytes equals the number of utf16 chars (which is only true for ascii chars). Instead call wcstombs twice, once to figure the storage size and once for the actual conversion (as suggested by the wcstombs manpage). FIXME: surrogate pairs are not working correctly. Pre-existing bug, fixing that is left for another day. Reported-by: NMichael Hanselmann <public@hansmi.ch> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Message-id: 20181203101045.27976-2-kraxel@redhat.com
-
- 01 10月, 2018 2 次提交
-
-
由 Bandan Das 提交于
Stale values in this field may result in qemu expecting more data on the next operation Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180907220851.9658-4-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan 提交于
Return STORE_FULL if we can't write all the bytes but return incomplete transfer if data received is less then what was specified in the metadata. Also, use d->offset as the file size which is valid for all file sizes. Signed-off-by: NBandan <bsd@redhat.com> Message-id: 20180907220851.9658-2-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 21 8月, 2018 5 次提交
-
-
由 Bandan Das 提交于
x-root was renamed as such owing to the experimental nature of the property; the underlying filesystem semantics were undecided Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-6-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
To support larger file transfers, rely on a short packet to detect end of the data phase and rewrite d->length to the size received Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-5-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
For large buffers, write may not copy the full buffer. For example, on Linux, write imposes a limit of 0x7ffff000. Note that this does not fix >4G transfers but ~>2G files will transfer successfully. Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-4-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
usb_mtp_realloc() was being incorrectly used when allocating buffer for incoming data. Set d->length only after resizing the buffer. Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-3-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
The initiator can choose to cancel an ongoing request which is specified by bRequest=0x64. If such a request arrives, free up any pending state Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-2-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 12 6月, 2018 2 次提交
-
-
由 Bandan Das 提交于
CID 1390604 If the initiator sends a packet with TYPE_DATA set without initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data can trip on a null s->data_out. Signed-off-by: NBandan Das <bsd@redhat.com> Message-Id: <jpgr2m8ajfk.fsf_-_@linux.bootlegged.copy> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
This fixes: hw/usb/dev-mtp.c:971:5: warning: 4th function call argument is an uninitialized value trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path, c->argv[1], c->argv[2]); ^~~~~~~~~~ and: hw/usb/dev-mtp.c:981:12: warning: Assigned value is garbage or undefined offset = c->argv[1]; ^ ~~~~~~~~~~ Reported-by: Clang Static Analyzer Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180604151421.23385-3-f4bug@amsat.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 02 6月, 2018 1 次提交
-
-
由 Michael S. Tsirkin 提交于
When pulling in headers that are in the same directory as the C file (as opposed to one in include/), we should use its relative path, without a directory. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
-
- 07 5月, 2018 2 次提交
-
-
由 Bandan Das 提交于
Currently, it's only being checked if desc is NULL and so write support breaks upon specifying desc Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180503192028.14353-3-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
CID 1390578: In usb_mtp_write_metadata, parent can never be NULL but just in case, add an assert CID 1390592: Check for o->format only if o !=NULL CID 1390604: Check s->data_out != NULL in usb_mtp_handle_data Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180503192028.14353-2-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 26 2月, 2018 4 次提交
-
-
由 Bandan Das 提交于
This patch implements a dummy ObjectInfo structure so that it's easy to typecast the incoming data. If the metadata is valid, write_pending is set. Also, the incoming filename is utf-16, so, instead of depending on external libraries, just implement a simple function to get the filename Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180223164829.29683-6-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
Allow write operations on behalf of the initiator. The precursor to write is the sending of the write metadata that consists of the ObjectInfo dataset. This patch introduces a flag that is set when the responder is ready to receive write data based on a previous SendObjectInfo operation by the initiator (The SendObjectInfo implementation is in a later patch) Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180223164829.29683-5-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
Write of existing objects by the initiator is acheived by making a temporary buffer with the new changes, deleting the old file and then writing a new file with the same name. Also, add a "readonly" property which needs to be set to false for deletion to work. Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180223164829.29683-4-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
Fix a possible null dereference when deleting a folder and its contents. An ignored event might be received for its contents after the parent folder is deleted which will return a null object. Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180223164829.29683-3-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-