1195972f6Sopenharmony_ci
2195972f6Sopenharmony_ciFuzzing the lwIP stack (afl-fuzz requires linux/unix or similar)
3195972f6Sopenharmony_ci
4195972f6Sopenharmony_ciThis directory contains a small app that reads Ethernet frames from stdin and
5195972f6Sopenharmony_ciprocesses them. It is used together with the 'american fuzzy lop' tool (found
6195972f6Sopenharmony_ciat http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how
7195972f6Sopenharmony_ciunexpected inputs are handled. The afl tool will read the known inputs, and
8195972f6Sopenharmony_citry to modify them to exercise as many code paths as possible, by instrumenting
9195972f6Sopenharmony_cithe code and keeping track of which code is executed.
10195972f6Sopenharmony_ci
11195972f6Sopenharmony_ciJust running make will produce the test program.
12195972f6Sopenharmony_ci
13195972f6Sopenharmony_ciRunning make with parameter 'D=-DLWIP_FUZZ_MULTI_PACKET' will produce a binary
14195972f6Sopenharmony_cithat parses the input data as multiple packets (experimental!).
15195972f6Sopenharmony_ci
16195972f6Sopenharmony_ciThen run afl with:
17195972f6Sopenharmony_ci
18195972f6Sopenharmony_ciafl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz
19195972f6Sopenharmony_ci
20195972f6Sopenharmony_ciand it should start working. It will probably complain about CPU scheduler,
21195972f6Sopenharmony_ciset AFL_SKIP_CPUFREQ=1 to ignore it.
22195972f6Sopenharmony_ciIf it complains about invalid "/proc/sys/kernel/core_pattern" setting, try
23195972f6Sopenharmony_ciexecuting "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'".
24195972f6Sopenharmony_ci
25195972f6Sopenharmony_ciThe input is split into different subdirectories since they test different
26195972f6Sopenharmony_ciparts of the code, and since you want to run one instance of afl-fuzz on each
27195972f6Sopenharmony_cicore.
28195972f6Sopenharmony_ci
29195972f6Sopenharmony_ciWhen afl finds a crash or a hang, the input that caused it will be placed in
30195972f6Sopenharmony_cithe output directory. If you have hexdump and text2pcap tools installed,
31195972f6Sopenharmony_cirunning output_to_pcap.sh <outputdir> will create pcap files for each input
32195972f6Sopenharmony_cifile to simplify viewing in wireshark.
33195972f6Sopenharmony_ci
34195972f6Sopenharmony_ciThe lwipopts.h file needs to have checksum checking off, otherwise almost every
35195972f6Sopenharmony_cipacket will be discarded because of that. The other options can be tuned to
36195972f6Sopenharmony_ciexpose different parts of the code.
37195972f6Sopenharmony_ci
38