Just wanted to share my modest success so far in getting the Heartbleed bug under test. It’s still very rough, and only tickles one of the Heartbleed corners and that of its fix right now, but it’s a solid proof-of-concept that I’ll polish and complete over the weekend. Plus, it’s really tiny.
If you want to play with building and running it, As per CVE-2014-0160, grab the following OpenSSL sources:
and a bunch of data that shouldn’t be there. I’m not gonna post mine because, well, it’s private! (In the version of OpenSSL containing the bug, the test also aborts on exit in the default optimized mode; I’ll try to figure that out, too.)
It took me a while to figure out which dead chickens to wave and in what way to get the objects I needed in place, but the test’s still pretty damned small. It’s easier for me to produce this test knowing where to look for the bug, but still, it’s clear that a small unit test conceivably could have caught this, or at least accompanied its fix as a regression test.
So here it is; enjoy for now, and I’ll post a polished version later this weekend: