1 2Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar) 3 4This directory contains small apps that read Ethernet frames from stdin and 5process them. They are used together with the 'american fuzzy lop' tool (found 6at https://lcamtuf.coredump.cx/afl/) or its successor AFL++ 7(https://github.com/AFLplusplus/AFLplusplus) and the sample inputs to test how 8unexpected inputs are handled. The afl tool will read the known inputs, and 9try to modify them to exercise as many code paths as possible, by instrumenting 10the code and keeping track of which code is executed. 11 12Just running make will produce the test programs. 13 14Then run afl with: 15 16afl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz 17 18and it should start working. It will probably complain about CPU scheduler, 19set AFL_SKIP_CPUFREQ=1 to ignore it. 20If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try 21executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'". 22 23The input is split into different subdirectories since they test different 24parts of the code, and since you want to run one instance of afl-fuzz on each 25core. 26 27When afl finds a crash or a hang, the input that caused it will be placed in 28the output directory. If you have hexdump and text2pcap tools installed, 29running output_to_pcap.sh <outputdir> will create pcap files for each input 30file to simplify viewing in wireshark. 31 32The lwipopts.h file needs to have checksum checking off, otherwise almost every 33packet will be discarded because of that. The other options can be tuned to 34expose different parts of the code. 35