lwip/test/fuzz
Erik Ekman 9b1056ef0e fuzz: Fix compile error in simulated glibc rand
When using LWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC:

fuzz_common.c: In function ‘lwip_fuzz_rand’:
fuzz_common.c:683:11: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
  683 |   if (idx >= sizeof(rand_nrs)/sizeof((rand_nrs)[0])) {
      |           ^~
cc1: all warnings being treated as errors
2020-06-19 13:26:58 +02:00
..
inputs added fuzz tests (moved from contrib/ports/unix/fuzz to get them to a more prominent place, even if afl-fuzz still needs *nix to run) 2016-12-15 21:39:46 +01:00
config.h
fuzz2.c fuzz: add more fuzz tests 2020-02-20 21:55:13 +01:00
fuzz3.c fuzz: whitespace fixes 2020-03-09 21:50:50 +01:00
fuzz_common.c fuzz: Fix compile error in simulated glibc rand 2020-06-19 13:26:58 +02:00
fuzz_common.h fuzz: add more fuzz tests 2020-02-20 21:55:13 +01:00
fuzz.c fuzz: add more fuzz tests 2020-02-20 21:55:13 +01:00
lwipopts.h fuzz: allow overriding LWIP_RAND for fuzz tests 2020-03-27 22:42:06 +01:00
Makefile fuzz: make CC overridable from 'afl-gcc' 2020-03-09 21:40:30 +01:00
output_to_pcap.sh
README test: split fuzz into different files and binaries 2020-02-17 22:05:46 +01:00

Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar)

This directory contains small apps that read Ethernet frames from stdin and
process them. They are used together with the 'american fuzzy lop' tool (found
at http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how
unexpected inputs are handled. The afl tool will read the known inputs, and
try to modify them to exercise as many code paths as possible, by instrumenting
the code and keeping track of which code is executed.

Just running make will produce the test programs.

Then run afl with:

afl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz

and it should start working. It will probably complain about CPU scheduler,
set AFL_SKIP_CPUFREQ=1 to ignore it.
If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try
executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'".

The input is split into different subdirectories since they test different
parts of the code, and since you want to run one instance of afl-fuzz on each
core.

When afl finds a crash or a hang, the input that caused it will be placed in
the output directory. If you have hexdump and text2pcap tools installed,
running output_to_pcap.sh <outputdir> will create pcap files for each input
file to simplify viewing in wireshark.

The lwipopts.h file needs to have checksum checking off, otherwise almost every
packet will be discarded because of that. The other options can be tuned to
expose different parts of the code.