diff options
author | Jakob Unterwurzacher | 2017-05-23 20:46:24 +0200 |
---|---|---|
committer | Jakob Unterwurzacher | 2017-05-23 21:26:38 +0200 |
commit | e827763f2e6226d9f5778d56c28270264950c0f5 (patch) | |
tree | 2f5f4adeed482dd473cc4714b97a8903806fdbb3 /internal/nametransform/names_test.go | |
parent | 508fd9e1d64131958c86175cb8d848f730e629cf (diff) |
nametransform: harden name decryption against invalid input
This fixes a few issues I have found reviewing the code:
1) Limit the amount of data ReadLongName() will read. Previously,
you could send gocryptfs into out-of-memory by symlinking
gocryptfs.diriv to /dev/zero.
2) Handle the empty input case in unPad16() by returning an
error. Previously, it would panic with an out-of-bounds array
read. It is unclear to me if this could actually be triggered.
3) Reject empty names after base64-decoding in DecryptName().
An empty name crashes emeCipher.Decrypt().
It is unclear to me if B64.DecodeString() can actually return
a non-error empty result, but let's guard against it anyway.
Diffstat (limited to 'internal/nametransform/names_test.go')
-rw-r--r-- | internal/nametransform/names_test.go | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/internal/nametransform/names_test.go b/internal/nametransform/names_test.go index d772af2..0254777 100644 --- a/internal/nametransform/names_test.go +++ b/internal/nametransform/names_test.go @@ -32,3 +32,20 @@ func TestPad16(t *testing.T) { } } } + +// TestUnpad16Garbage - unPad16 should never crash on corrupt or malicious inputs +func TestUnpad16Garbage(t *testing.T) { + var testCases [][]byte + testCases = append(testCases, make([]byte, 0)) + testCases = append(testCases, make([]byte, 16)) + testCases = append(testCases, make([]byte, 1)) + testCases = append(testCases, make([]byte, 17)) + testCases = append(testCases, bytes.Repeat([]byte{16}, 16)) + testCases = append(testCases, bytes.Repeat([]byte{17}, 16)) + for _, v := range testCases { + _, err := unPad16([]byte(v)) + if err == nil { + t.Fail() + } + } +} |