From e827763f2e6226d9f5778d56c28270264950c0f5 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Tue, 23 May 2017 20:46:24 +0200 Subject: nametransform: harden name decryption against invalid input This fixes a few issues I have found reviewing the code: 1) Limit the amount of data ReadLongName() will read. Previously, you could send gocryptfs into out-of-memory by symlinking gocryptfs.diriv to /dev/zero. 2) Handle the empty input case in unPad16() by returning an error. Previously, it would panic with an out-of-bounds array read. It is unclear to me if this could actually be triggered. 3) Reject empty names after base64-decoding in DecryptName(). An empty name crashes emeCipher.Decrypt(). It is unclear to me if B64.DecodeString() can actually return a non-error empty result, but let's guard against it anyway. --- internal/fusefrontend/fs_dir.go | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'internal/fusefrontend/fs_dir.go') diff --git a/internal/fusefrontend/fs_dir.go b/internal/fusefrontend/fs_dir.go index 7d1e3ef..30e715a 100644 --- a/internal/fusefrontend/fs_dir.go +++ b/internal/fusefrontend/fs_dir.go @@ -273,16 +273,14 @@ func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, f // silently ignore "gocryptfs.conf" in the top level dir continue } - if !fs.args.PlaintextNames && cName == nametransform.DirIVFilename { - // silently ignore "gocryptfs.diriv" everywhere if dirIV is enabled - continue - } - if fs.args.PlaintextNames { plain = append(plain, cipherEntries[i]) continue } - + if cName == nametransform.DirIVFilename { + // silently ignore "gocryptfs.diriv" everywhere if dirIV is enabled + continue + } // Handle long file name isLong := nametransform.LongNameNone if fs.args.LongNames { @@ -301,7 +299,6 @@ func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, f // ignore "gocryptfs.longname.*.name" continue } - name, err := fs.nameTransform.DecryptName(cName, cachedIV) if err != nil { tlog.Warn.Printf("OpenDir %q: invalid entry %q: %v", -- cgit v1.2.3