diff --git a/internal/nametransform/diriv.go b/internal/nametransform/diriv.go index e74592a..902999b 100644 --- a/internal/nametransform/diriv.go +++ b/internal/nametransform/diriv.go @@ -1,6 +1,7 @@ package nametransform import ( + "bytes" "io" "os" "path/filepath" @@ -46,6 +47,9 @@ func ReadDirIVAt(dirfd *os.File) (iv []byte, err error) { return fdReadDirIV(fd) } +// allZeroDirIV is preallocated to quickly check if the data read from disk is all zero +var allZeroDirIV = make([]byte, DirIVLen) + // fdReadDirIV reads and verifies the DirIV from an opened gocryptfs.diriv file. func fdReadDirIV(fd *os.File) (iv []byte, err error) { // We want to detect if the file is bigger than DirIVLen, so @@ -61,6 +65,10 @@ func fdReadDirIV(fd *os.File) (iv []byte, err error) { tlog.Warn.Printf("ReadDirIVAt: wanted %d bytes, got %d. Returning EINVAL.", DirIVLen, len(iv)) return nil, syscall.EINVAL } + if bytes.Equal(iv, allZeroDirIV) { + tlog.Warn.Printf("ReadDirIVAt: diriv is all-zero. Returning EINVAL.") + return nil, syscall.EINVAL + } return iv, nil }