Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".

Fixes: CVE-2018-16867
Reported-by: NMichael Hanselmann <public@hansmi.ch>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181203101045.27976-3-kraxel@redhat.com

Make utf16_to_str return an allocated string.  Remove the assumtion that
the number of string bytes equals the number of utf16 chars (which is
only true for ascii chars).  Instead call wcstombs twice, once to figure
the storage size and once for the actual conversion (as suggested by the
wcstombs manpage).

FIXME: surrogate pairs are not working correctly.  Pre-existing bug,
fixing that is left for another day.
Reported-by: NMichael Hanselmann <public@hansmi.ch>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Message-id: 20181203101045.27976-2-kraxel@redhat.com

Stale values in this field may result in qemu
expecting more data on the next operation
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180907220851.9658-4-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Return STORE_FULL if we can't write all the bytes but
return incomplete transfer if data received is less then
what was specified in the metadata. Also, use d->offset
as the file size which is valid for all file sizes.
Signed-off-by: NBandan <bsd@redhat.com>
Message-id: 20180907220851.9658-2-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

x-root was renamed as such owing to the experimental nature of the
property; the underlying filesystem semantics were undecided
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-6-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

To support larger file transfers, rely on a short packet
to detect end of the data phase and rewrite d->length to
the size received
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-5-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

For large buffers, write may not copy the full buffer. For example,
on Linux, write imposes a limit of 0x7ffff000. Note that this does
not fix >4G transfers but ~>2G files will transfer successfully.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-4-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

usb_mtp_realloc() was being incorrectly used when allocating
buffer for incoming data. Set d->length only after resizing
the buffer.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-3-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The initiator can choose to cancel an ongoing request which
is specified by bRequest=0x64. If such a request arrives,
free up any pending state
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-2-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

CID 1390604
If the initiator sends a packet with TYPE_DATA set without
initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data
can trip on a null s->data_out.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-Id: <jpgr2m8ajfk.fsf_-_@linux.bootlegged.copy>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

This fixes:

  hw/usb/dev-mtp.c:971:5: warning: 4th function call argument is an uninitialized value
      trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path,
                                           c->argv[1], c->argv[2]);
                                                       ^~~~~~~~~~
and:

  hw/usb/dev-mtp.c:981:12: warning: Assigned value is garbage or undefined
      offset = c->argv[1];
               ^ ~~~~~~~~~~

Reported-by: Clang Static Analyzer
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180604151421.23385-3-f4bug@amsat.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

When pulling in headers that are in the same directory as the C file (as
opposed to one in include/), we should use its relative path, without a
directory.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

Currently, it's only being checked if desc is NULL and
so write support breaks upon specifying desc
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180503192028.14353-3-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

CID 1390578: In usb_mtp_write_metadata, parent can never be NULL but
just in case, add an assert
CID 1390592: Check for o->format only if o !=NULL
CID 1390604: Check s->data_out != NULL in usb_mtp_handle_data
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180503192028.14353-2-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

This patch implements a dummy ObjectInfo structure so that
it's easy to typecast the incoming data. If the metadata is
valid, write_pending is set. Also, the incoming filename
is utf-16, so, instead of depending on external libraries, just
implement a simple function to get the filename
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180223164829.29683-6-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Allow write operations on behalf of the initiator. The
precursor to write is the sending of the write metadata
that consists of the ObjectInfo dataset. This patch introduces
a flag that is set when the responder is ready to receive
write data based on a previous SendObjectInfo operation by
the initiator (The SendObjectInfo implementation is in a
later patch)
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180223164829.29683-5-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Write of existing objects by the initiator is acheived by
making a temporary buffer with the new changes, deleting the
old file and then writing a new file with the same name.

Also, add a "readonly" property which needs to be set to false
for deletion to work.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180223164829.29683-4-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Fix a possible null dereference when deleting a folder and
its contents. An ignored event might be received for its contents
after the parent folder is deleted which will return a null object.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180223164829.29683-3-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The response to a SendObjectInfo consists of the storageid,
parent obejct handle and the handle reserved for the new
incoming object
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 20180223164829.29683-2-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

It's a storage device, so let's classify it accordingly. And
while we're at it, also add a short description for people who
do not know what MTP means.
Signed-off-by: NThomas Huth <thuth@redhat.com>
Reviewed-by: NLaurent Vivier <laurent@vivier.eu>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Signed-off-by: NStefan Weil <sw@weilnetz.de>
Acked-by: NAlistair Francis <alistair.francis@xilinx.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Some files contain multiple #includes of the same header file.
Removed most of those unnecessary duplicate entries using
scripts/clean-includes.
Reviewed-by: NThomas Huth <thuth@redhat.com>
Signed-off-by: NAnand J <anand.indukala@gmail.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Windows uses object properties to determine the size of a file, so to
add object properties, we must also add a minimum set of new commands
and object properties. Most object properties are data that we already
have, except for the unique persistant object identifier. Windows
doesn't use this property, it seems, so we can cheat a bit and just use
the object handle for it.
Signed-off-by: NIsaac Lozano <109lozanoi@gmail.com>
Message-id: a741d0dd380cd7eb1695e1eb34ee6f341183f20a.1470477265.git.109lozanoi@gmail.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

MTP requires that if a file is larger than 4gb or if sending data larger
than 4gb, that the length field be set to 0xFFFFFFFF.

Also widened a couple variables to prevent overflow errors.
Signed-off-by: NIsaac Lozano <109lozanoi@gmail.com>
Message-id: 01ad8ec7775f58575801ac3f13716f553a16815e.1470477265.git.109lozanoi@gmail.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

If an application uses libmtp on the guest system,
it will complain with the warning message:
LIBMTP WARNING: VendorExtensionID: ffffffff
LIBMTP WARNING: VendorExtensionDesc: (null)
LIBMTP WARNING: this typically means the device is PTP (i.e. a camera) but
not a MTP device at all. Trying to continue anyway.

This is because libmtp expects a MTP Vendor Extension ID of 0x00000006 and a
MTP Version of 0x0064. These numbers are taken from Microsoft's MTP Vendor
Extension Identification Message page and are what most physical devices
show.
Signed-off-by: NIsaac Lozano <109lozanoi@gmail.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Message-id: 1460892593-5908-1-git-send-email-109lozanoi@gmail.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Commit 57cb38b3 included qapi/error.h into qemu/osdep.h to get the
Error typedef.  Since then, we've moved to include qemu/osdep.h
everywhere.  Its file comment explains: "To avoid getting into
possible circular include dependencies, this file should not include
any other QEMU headers, with the exceptions of config-host.h,
compiler.h, os-posix.h and os-win32.h, all of which are doing a
similar job to this file and are under similar constraints."
qapi/error.h doesn't do a similar job, and it doesn't adhere to
similar constraints: it includes qapi-types.h.  That's in excess of
100KiB of crap most .c files don't actually need.

Add the typedef to qemu/typedefs.h, and include that instead of
qapi/error.h.  Include qapi/error.h in .c files that need it and don't
get it now.  Include qapi-types.h in qom/object.h for uint16List.

Update scripts/clean-includes accordingly.  Update it further to match
reality: replace config.h by config-target.h, add sysemu/os-posix.h,
sysemu/os-win32.h.  Update the list of includes in the qemu/osdep.h
comment quoted above similarly.

This reduces the number of objects depending on qapi/error.h from "all
of them" to less than a third.  Unfortunately, the number depending on
qapi-types.h shrinks only a little.  More work is needed for that one.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
[Fix compilation without the spice devel packages. - Paolo]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

inotify_init1 usage was guarded by a check for linux but does not
exist on older distributions like CentOS 5 resulting in build
failures.
Signed-off-by: NMatthew Fortune <matthew.fortune@imgtec.com>
Message-id: 6D39441BF12EF246A7ABCE6654B023536BB85D4A@hhmail02.hh.imgtec.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1457503640-31473-1-git-send-email-peterx@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Use heap instead of stack.
Signed-off-by: NPeter Xu <peterx@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1453832250-766-20-git-send-email-peter.maydell@linaro.org

trace_usb_mtp_inotify_event() was being called after the object was
being freed.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 1450861787-16213-3-git-send-email-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

usb_mtp_inotify_cleanup uses QLIST_FOREACH to pick events
from a list and free them which is incorrect. Use QLIST_FOREACH_SAFE
instead.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 1450861787-16213-2-git-send-email-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

When the host polls for events, we check our
events qlist and send one event at a time. Also, note
that the event packet needs to be sent in one go, so
I increased the max packet size to 64.

Tested with a linux guest.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 1448314625-3855-5-git-send-email-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

For now, we use inotify watches to track only a small number of
events, namely, add, delete and modify. Note that for delete, the kernel
already deactivates the watch for us and we just need to
take care of modifying our internal state.

inotify is a linux only mechanism.
Suggested-by: NGerd Hoffman <kraxel@redhat.com>
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 1448314625-3855-4-git-send-email-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

On a reset, call usb_mtp_object_free on all objects and their children
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 1448314625-3855-3-git-send-email-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

To support adding/removal of objects, we will need to update
the object cache hierarchy we have built internally. Convert
to using a Qlist for easier management.
Signed-off-by: NBandan Das <bsd@redhat.com>
Message-id: 1448314625-3855-2-git-send-email-bsd@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
for two reasons.  One, it catches multiplication overflowing size_t.
Two, it returns T * rather than void *, which lets the compiler catch
more type errors.

This commit only touches allocations with size arguments of the form
sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f5.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

When x-root property not be configured, will cause segfault
because of null pointer accessing. Add a check for s->root
property avoid segfault.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>