1195972f6Sopenharmony_ci 2195972f6Sopenharmony_ciFuzzing the lwIP stack (afl-fuzz requires linux/unix or similar) 3195972f6Sopenharmony_ci 4195972f6Sopenharmony_ciThis directory contains a small app that reads Ethernet frames from stdin and 5195972f6Sopenharmony_ciprocesses them. It is used together with the 'american fuzzy lop' tool (found 6195972f6Sopenharmony_ciat http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how 7195972f6Sopenharmony_ciunexpected inputs are handled. The afl tool will read the known inputs, and 8195972f6Sopenharmony_citry to modify them to exercise as many code paths as possible, by instrumenting 9195972f6Sopenharmony_cithe code and keeping track of which code is executed. 10195972f6Sopenharmony_ci 11195972f6Sopenharmony_ciJust running make will produce the test program. 12195972f6Sopenharmony_ci 13195972f6Sopenharmony_ciRunning make with parameter 'D=-DLWIP_FUZZ_MULTI_PACKET' will produce a binary 14195972f6Sopenharmony_cithat parses the input data as multiple packets (experimental!). 15195972f6Sopenharmony_ci 16195972f6Sopenharmony_ciThen run afl with: 17195972f6Sopenharmony_ci 18195972f6Sopenharmony_ciafl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz 19195972f6Sopenharmony_ci 20195972f6Sopenharmony_ciand it should start working. It will probably complain about CPU scheduler, 21195972f6Sopenharmony_ciset AFL_SKIP_CPUFREQ=1 to ignore it. 22195972f6Sopenharmony_ciIf it complains about invalid "/proc/sys/kernel/core_pattern" setting, try 23195972f6Sopenharmony_ciexecuting "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'". 24195972f6Sopenharmony_ci 25195972f6Sopenharmony_ciThe input is split into different subdirectories since they test different 26195972f6Sopenharmony_ciparts of the code, and since you want to run one instance of afl-fuzz on each 27195972f6Sopenharmony_cicore. 28195972f6Sopenharmony_ci 29195972f6Sopenharmony_ciWhen afl finds a crash or a hang, the input that caused it will be placed in 30195972f6Sopenharmony_cithe output directory. If you have hexdump and text2pcap tools installed, 31195972f6Sopenharmony_cirunning output_to_pcap.sh <outputdir> will create pcap files for each input 32195972f6Sopenharmony_cifile to simplify viewing in wireshark. 33195972f6Sopenharmony_ci 34195972f6Sopenharmony_ciThe lwipopts.h file needs to have checksum checking off, otherwise almost every 35195972f6Sopenharmony_cipacket will be discarded because of that. The other options can be tuned to 36195972f6Sopenharmony_ciexpose different parts of the code. 37195972f6Sopenharmony_ci 38