syscall: return EINVAL when string arguments have NUL characters

Since NUL usually terminates strings in underlying syscalls, allowing
it when converting string arguments is a security risk, especially
when dealing with filenames. For example, a program might reason that
filename like "/root/..\x00/" is a subdirectory or "/root/" and allow
access to it, while underlying syscall will treat "\x00" as an end of
that string and the actual filename will be "/root/..", which might
be unexpected. Returning EINVAL when string arguments have NUL in
them makes sure this attack vector is unusable.

R=golang-dev, r, bradfitz, fullung, rsc, minux.ma
CC=golang-dev
https://golang.org/cl/6458050

1 files changed, 8 insertions, 2 deletions

diff --git a/src/pkg/path/filepath/symlink_windows.go b/src/pkg/path/filepath/symlink_windows.go
index 1ee939928e..9adc8a48af 100644
--- a/src/pkg/path/filepath/symlink_windows.go
+++ b/src/pkg/path/filepath/symlink_windows.go
@@ -9,7 +9,10 @@ import (
 )
 
 func toShort(path string) (string, error) {
-	p := syscall.StringToUTF16(path)
+	p, err := syscall.UTF16FromString(path)
+	if err != nil {
+		return "", err
+	}
 	b := p // GetShortPathName says we can reuse buffer
 	n, err := syscall.GetShortPathName(&p[0], &b[0], uint32(len(b)))
 	if err != nil {
@@ -26,7 +29,10 @@ func toShort(path string) (string, error) {
 }
 
 func toLong(path string) (string, error) {
-	p := syscall.StringToUTF16(path)
+	p, err := syscall.UTF16FromString(path)
+	if err != nil {
+		return "", err
+	}
 	b := p // GetLongPathName says we can reuse buffer
 	n, err := syscall.GetLongPathName(&p[0], &b[0], uint32(len(b)))
 	if err != nil {