-
Notifications
You must be signed in to change notification settings - Fork 281
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WSL-Helper: Add test for cert use-after-free
Signed-off-by: Mark Yen <[email protected]>
- Loading branch information
Showing
2 changed files
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -243,6 +243,7 @@ fav | |
fcb | ||
fdx | ||
featurename | ||
FEEEFEEE | ||
femto | ||
ffi | ||
ficlone | ||
|
47 changes: 47 additions & 0 deletions
47
src/go/wsl-helper/pkg/certificates/certificates_windows_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
package certificates_test | ||
|
||
import ( | ||
"bytes" | ||
"crypto/x509" | ||
"encoding/pem" | ||
"testing" | ||
|
||
"github.com/rancher-sandbox/rancher-desktop/src/go/wsl-helper/pkg/certificates" | ||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
// Test that we don't use memory that we don't own | ||
func TestGetSystemCertificates_UseAfterFree(t *testing.T) { | ||
var certs []*x509.Certificate | ||
ch, err := certificates.GetSystemCertificates("CA") | ||
require.NoError(t, err, "failed to get CA certificates") | ||
for entry := range ch { | ||
if assert.NoError(t, err, entry.Err) { | ||
certs = append(certs, entry.Cert) | ||
} | ||
} | ||
ch, err = certificates.GetSystemCertificates("ROOT") | ||
require.NoError(t, err, "failed to get ROOT certificates") | ||
for entry := range ch { | ||
if assert.NoError(t, err, entry.Err) { | ||
certs = append(certs, entry.Cert) | ||
} | ||
} | ||
|
||
// By this point, both channels have been closed, which also means we have | ||
// closed both cert stores. | ||
for _, cert := range certs { | ||
buf := bytes.Buffer{} | ||
block := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw} | ||
err = pem.Encode(&buf, block) | ||
if assert.NoError(t, err, "Failed to encode certificate") { | ||
// Look for invalid certificates: | ||
// - A line of all A (nulls) | ||
// - A line with 0xFEEEFEEE (HeapAlloc freed marker) | ||
output := buf.String() | ||
assert.NotContains(t, output, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "encoded cert contains nulls") | ||
assert.NotContains(t, output, "7v7u/u7+7v7u/u7+7v7u/u7+7v7u/u7+7v7u/u7+7v7u/u7+7v7u/u7+7v7u/u7+", "encoded cert contains FEEEFEEE") | ||
} | ||
} | ||
} |