• Home
Name Date Size #Lines LOC

..--

inputs/12-May-2024-

MakefileD12-May-20242.1 KiB5515

READMED12-May-20241.6 KiB3826

config.hD12-May-20240 10

fuzz.cD12-May-20245.2 KiB190131

lwipopts.hD12-May-20243.3 KiB8134

output_to_pcap.shD12-May-2024595 3227

README

1
2Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar)
3
4This directory contains a small app that reads Ethernet frames from stdin and
5processes them. It is used together with the 'american fuzzy lop' tool (found
6at http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how
7unexpected inputs are handled. The afl tool will read the known inputs, and
8try to modify them to exercise as many code paths as possible, by instrumenting
9the code and keeping track of which code is executed.
10
11Just running make will produce the test program.
12
13Running make with parameter 'D=-DLWIP_FUZZ_MULTI_PACKET' will produce a binary
14that parses the input data as multiple packets (experimental!).
15
16Then run afl with:
17
18afl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz
19
20and it should start working. It will probably complain about CPU scheduler,
21set AFL_SKIP_CPUFREQ=1 to ignore it.
22If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try
23executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'".
24
25The input is split into different subdirectories since they test different
26parts of the code, and since you want to run one instance of afl-fuzz on each
27core.
28
29When afl finds a crash or a hang, the input that caused it will be placed in
30the output directory. If you have hexdump and text2pcap tools installed,
31running output_to_pcap.sh <outputdir> will create pcap files for each input
32file to simplify viewing in wireshark.
33
34The lwipopts.h file needs to have checksum checking off, otherwise almost every
35packet will be discarded because of that. The other options can be tuned to
36expose different parts of the code.
37
38