syscall: return EINVAL when string arguments have NUL characters Since NUL usually terminates strings in underlying syscalls, allowing it when converting string arguments is a security risk, especially when dealing with filenames. For example, a program might reason that filename like "/root/..\x00/" is a subdirectory or "/root/" and allow access to it, while underlying syscall will treat "\x00" as an end of that string and the actual filename will be "/root/..", which might be unexpected. Returning EINVAL when string arguments have NUL in them makes sure this attack vector is unusable. R=golang-dev, r, bradfitz, fullung, rsc, minux.ma CC=golang-dev https://golang.org/cl/6458050

commit: a108369c830db0b9a9f519fd346b8f593a4d7e14 [log] [tgz]
author: Alexey Borzenkov <snaury@gmail.com> Sun Aug 05 17:24:32 2012 -0400
committer: Russ Cox <rsc@golang.org> Sun Aug 05 17:24:32 2012 -0400
tree: 49455ae21d886b9aaf0ba37f52400375191493b1
parent: 8efb70f92e258d458c183232b985c83b477ed3de [diff] [blame]
diff --git a/src/pkg/syscall/syscall_darwin.go b/src/pkg/syscall/syscall_darwin.go
index c712f94..1ab8f11 100644
--- a/src/pkg/syscall/syscall_darwin.go
+++ b/src/pkg/syscall/syscall_darwin.go

@@ -41,7 +41,10 @@
 	n := uintptr(CTL_MAXNAME) * siz
 
 	p := (*byte)(unsafe.Pointer(&buf[0]))
-	bytes := StringByteSlice(name)
+	bytes, err := ByteSliceFromString(name)
+	if err != nil {
+		return nil, err
+	}
 
 	// Magic sysctl: "setting" 0.3 to a string name
 	// lets you read back the array of integers form.
commit	a108369c830db0b9a9f519fd346b8f593a4d7e14	[log] [tgz]
author	Alexey Borzenkov <snaury@gmail.com>	Sun Aug 05 17:24:32 2012 -0400
committer	Russ Cox <rsc@golang.org>	Sun Aug 05 17:24:32 2012 -0400
tree	49455ae21d886b9aaf0ba37f52400375191493b1
parent	8efb70f92e258d458c183232b985c83b477ed3de [diff] [blame]