From 3784901fcee46d3e14e154b32cc6a7822bcc90f6 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Mon, 13 Feb 2017 09:13:22 +0100 Subject: readpassword: limit password length to 1000 bytes This used to hang at 100% CPU: cat /dev/zero | gocryptfs -init a ...and would ultimately send the box into out-of-memory. The number 1000 is chosen arbitrarily and seems big enough given that the password must be one line. Suggested by @mhogomchungu in https://github.com/rfjakob/gocryptfs/issues/77 . --- internal/readpassword/read.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'internal/readpassword') diff --git a/internal/readpassword/read.go b/internal/readpassword/read.go index fe9be45..74057cf 100644 --- a/internal/readpassword/read.go +++ b/internal/readpassword/read.go @@ -16,7 +16,8 @@ import ( ) const ( - exitCode = 9 + exitCode = 9 + maxPasswordLen = 1000 ) // Once tries to get a password from the user, either from the terminal, extpass @@ -126,6 +127,10 @@ func readPasswordExtpass(extpass string) string { func readLineUnbuffered(r io.Reader) (l string) { b := make([]byte, 1) for { + if len(l) > maxPasswordLen { + tlog.Fatal.Printf("fatal: maximum password length of %d bytes exceeded", maxPasswordLen) + os.Exit(exitCode) + } n, err := r.Read(b) if err == io.EOF { return l -- cgit v1.2.3