1 2Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar) 3 4This directory contains a small app that reads Ethernet frames from stdin and 5processes them. It is used together with the 'american fuzzy lop' tool (found 6at http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how 7unexpected inputs are handled. The afl tool will read the known inputs, and 8try to modify them to exercise as many code paths as possible, by instrumenting 9the code and keeping track of which code is executed. 10 11Just running make will produce the test program. 12 13Then run afl with: 14 15afl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz 16 17and it should start working. It will probably complain about CPU scheduler, 18set AFL_SKIP_CPUFREQ=1 to ignore it. 19If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try 20executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'". 21 22The input is split into different subdirectories since they test different 23parts of the code, and since you want to run one instance of afl-fuzz on each 24core. 25 26When afl finds a crash or a hang, the input that caused it will be placed in 27the output directory. If you have hexdump and text2pcap tools installed, 28running output_to_pcap.sh <outputdir> will create pcap files for each input 29file to simplify viewing in wireshark. 30 31The lwipopts.h file needs to have checksum checking off, otherwise almost every 32packet will be discarded because of that. The other options can be tuned to 33expose different parts of the code. 34 35