nametransform: harden name decryption against invalid input

This fixes a few issues I have found reviewing the code:

1) Limit the amount of data ReadLongName() will read. Previously,
you could send gocryptfs into out-of-memory by symlinking
gocryptfs.diriv to /dev/zero.

2) Handle the empty input case in unPad16() by returning an
error. Previously, it would panic with an out-of-bounds array
read. It is unclear to me if this could actually be triggered.

3) Reject empty names after base64-decoding in DecryptName().
An empty name crashes emeCipher.Decrypt().
It is unclear to me if B64.DecodeString() can actually return
a non-error empty result, but let's guard against it anyway.

1 files changed, 4 insertions, 7 deletions

diff --git a/internal/fusefrontend/fs_dir.go b/internal/fusefrontend/fs_dir.go
index 7d1e3ef..30e715a 100644
--- a/internal/fusefrontend/fs_dir.go
+++ b/internal/fusefrontend/fs_dir.go
@@ -273,16 +273,14 @@ func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, f
 			// silently ignore "gocryptfs.conf" in the top level dir
 			continue
 		}
-		if !fs.args.PlaintextNames && cName == nametransform.DirIVFilename {
-			// silently ignore "gocryptfs.diriv" everywhere if dirIV is enabled
-			continue
-		}
-
 		if fs.args.PlaintextNames {
 			plain = append(plain, cipherEntries[i])
 			continue
 		}
-
+		if cName == nametransform.DirIVFilename {
+			// silently ignore "gocryptfs.diriv" everywhere if dirIV is enabled
+			continue
+		}
 		// Handle long file name
 		isLong := nametransform.LongNameNone
 		if fs.args.LongNames {
@@ -301,7 +299,6 @@ func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, f
 			// ignore "gocryptfs.longname.*.name"
 			continue
 		}
-
 		name, err := fs.nameTransform.DecryptName(cName, cachedIV)
 		if err != nil {
 			tlog.Warn.Printf("OpenDir %q: invalid entry %q: %v",