Although ntohs and htons perform equivalent operations (a byte swap on
little-endian platforms), their semantic roles (as implied by the names)
are different.
In fuzz_common.c, we get integers from simulated network packages, and
convert them for host CPU use, so ntohs is the right variant to use.
Unfortunately, CC ?= afl-gcc doesn't work. This is because CC has a
default value (of "cc"), and the ?= operator only assigns a value if the
variable previously had none. "make" currently compiles with cc.
In this patch, I implemented the more elaborate way to achieve what was
probably intended: "make" will use afl-gcc now, and "make CC=foo" will
compile with "foo".
A fuzzer may generate big packets, and it will interpret assertion
failures as bugs. Instead of asserting that the packet size is
reasonable, simply skip the packet when it's not the case.
When using LWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC:
fuzz_common.c: In function ‘lwip_fuzz_rand’:
fuzz_common.c:683:11: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
683 | if (idx >= sizeof(rand_nrs)/sizeof((rand_nrs)[0])) {
| ^~
cc1: all warnings being treated as errors
Fuzz tests need reproducible code, so we need an "unsafe" version of
LWIP_RAND() in this case...
Also, to reproduce fuzz tests cases from Linux on Windows,
LWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC provides the first 20 random numbers that
glibc would have...
The experimental multi-packet mode splits input bytes depending on a length
decoded from the first 2 bytes and does that until the end of input.
To use this mode, compile with "make D=-DLWIP_FUZZ_MULTI_PACKET"
Signed-off-by: goldsimon <goldsimon@gmx.de>
