Fixes byte/character confusion in sandbox::ResolveSymbolicLink

NtQuerySymbolicLinkObject length and UNICODE_STRING lengths are bytes not characters. This lead to target_path.Buffer being overallocated and luckily zero-initialized until in some contexts it wasn't, causing the sync tests to fail as they tried to look up an object with a valid name followed by garbage. Bug: 1139088 Change-Id: I0b7744a8f6d47e52f9909e895abfb0fe6a799716 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2485344 Commit-Queue: Alex Gough <ajgo@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#819096}

Fixes byte/character confusion in sandbox::ResolveSymbolicLink
NtQuerySymbolicLinkObject length and UNICODE_STRING lengths are bytes not characters. This lead to target_path.Buffer being overallocated and luckily zero-initialized until in some contexts it wasn't, causing the sync tests to fail as they tried to look up an object with a valid name followed by garbage. Bug: 1139088 Change-Id: I0b7744a8f6d47e52f9909e895abfb0fe6a799716 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2485344 Commit-Queue: Alex Gough <ajgo@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#819096}
b15f47df · Alex Gough · Commit Bot · eaeb384e · b15f47df
Commit b15f47df authored Oct 20, 2020 by Alex Gough Committed by Commit Bot Oct 20, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 7 deletions

sandbox/win/src/sync_policy.cc sandbox/win/src/sync_policy.cc +12 -7

No files found.
--- a/sandbox/win/src/sync_policy.cc
+++ b/sandbox/win/src/sync_policy.cc
@@ -64,21 +64,26 @@ NTSTATUS ResolveSymbolicLink(const std::wstring& directory_name,
    return status;

  UNICODE_STRING target_path = {};
-  unsigned long target_length = 0;
+  unsigned long target_bytes = 0;
  status =
-      NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_length);
+      NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_bytes);
  if (status != STATUS_BUFFER_TOO_SMALL) {
    CHECK(NT_SUCCESS(NtClose(symbolic_link)));
    return status;
  }

+  // NtQuerySymbolicLinkObject length and UNICODE_STRING lengths are bytes
+  // not characters.
+  size_t target_wchars = target_bytes / sizeof(wchar_t);
  target_path.Length = 0;
-  target_path.MaximumLength = static_cast<USHORT>(target_length);
-  target_path.Buffer = new wchar_t[target_path.MaximumLength + 1];
+  target_path.MaximumLength = static_cast<USHORT>(target_bytes);
+  target_path.Buffer = new wchar_t[target_wchars + 1];
  status =
-      NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_length);
-  if (NT_SUCCESS(status))
-    target->assign(target_path.Buffer, target_length);
+      NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_bytes);
+  if (NT_SUCCESS(status)) {
+    DCHECK_EQ(target_bytes, sizeof(wchar_t) * target_wchars);
+    target->assign(target_path.Buffer, target_wchars);
+  }

  CHECK(NT_SUCCESS(NtClose(symbolic_link)));
  delete[] target_path.Buffer;