Although ntohs and htons perform equivalent operations (a byte swap on
little-endian platforms), their semantic roles (as implied by the names)
are different.
In fuzz_common.c, we get integers from simulated network packages, and
convert them for host CPU use, so ntohs is the right variant to use.
Unfortunately, CC ?= afl-gcc doesn't work. This is because CC has a
default value (of "cc"), and the ?= operator only assigns a value if the
variable previously had none. "make" currently compiles with cc.
In this patch, I implemented the more elaborate way to achieve what was
probably intended: "make" will use afl-gcc now, and "make CC=foo" will
compile with "foo".
A fuzzer may generate big packets, and it will interpret assertion
failures as bugs. Instead of asserting that the packet size is
reasonable, simply skip the packet when it's not the case.
../../../../src/../test/unit/ip4/test_ip4.c: In function ‘test_ip4_icmp_replylen_short’:
../../../../src/../test/unit/ip4/test_ip4.c:291:35: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
fail_unless(linkoutput_byte_ctr == icmp_len + sizeof(unknown_proto));
Plus minor cleanup in second icmp reply test
Like pbuf_copy, but can copy part of a pbuf to an offset in another.
pbuf_copy now uses this function internally.
Replace pbuf_take_at loop in icmp6 with pbuf_copy_partial_pbuf().
../../../../src/../test/unit/ip6/test_ip6.c: In function ‘test_ip6_dest_unreachable_chained_pbuf’:
../../../../src/../test/unit/ip6/test_ip6.c:314:16: error: ‘main’ is usually a function [-Werror=main]
struct pbuf *main = pbuf_alloc(PBUF_RAW, sizeof(udp_hdr), PBUF_ROM);
^~~~
cc1: all warnings being treated as errors
With the payload lengths not matching between source and destination.
Also remove redundant allocation check in other test, it is now done
in the test setup code.
When using LWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC:
fuzz_common.c: In function ‘lwip_fuzz_rand’:
fuzz_common.c:683:11: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
683 | if (idx >= sizeof(rand_nrs)/sizeof((rand_nrs)[0])) {
| ^~
cc1: all warnings being treated as errors
Fuzz tests need reproducible code, so we need an "unsafe" version of
LWIP_RAND() in this case...
Also, to reproduce fuzz tests cases from Linux on Windows,
LWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC provides the first 20 random numbers that
glibc would have...