From f3f86fd1fe0fb288356bff78f8a6fa2edf89e3fc Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Wed, 16 Oct 2024 08:10:14 -0600 Subject: Squashed 'lib/lwip/lwip/' content from commit 0a0452b2c39b git-subtree-dir: lib/lwip/lwip git-subtree-split: 0a0452b2c39bdd91e252aef045c115f88f6ca773 --- test/fuzz/README | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 test/fuzz/README (limited to 'test/fuzz/README') diff --git a/test/fuzz/README b/test/fuzz/README new file mode 100644 index 00000000000..a3b2eee54b6 --- /dev/null +++ b/test/fuzz/README @@ -0,0 +1,34 @@ + +Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar) + +This directory contains small apps that read Ethernet frames from stdin and +process them. They are used together with the 'american fuzzy lop' tool (found +at https://lcamtuf.coredump.cx/afl/) or its successor AFL++ +(https://github.com/AFLplusplus/AFLplusplus) and the sample inputs to test how +unexpected inputs are handled. The afl tool will read the known inputs, and +try to modify them to exercise as many code paths as possible, by instrumenting +the code and keeping track of which code is executed. + +Just running make will produce the test programs. + +Then run afl with: + +afl-fuzz -i inputs/ -o output ./lwip_fuzz + +and it should start working. It will probably complain about CPU scheduler, +set AFL_SKIP_CPUFREQ=1 to ignore it. +If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try +executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'". + +The input is split into different subdirectories since they test different +parts of the code, and since you want to run one instance of afl-fuzz on each +core. + +When afl finds a crash or a hang, the input that caused it will be placed in +the output directory. If you have hexdump and text2pcap tools installed, +running output_to_pcap.sh will create pcap files for each input +file to simplify viewing in wireshark. + +The lwipopts.h file needs to have checksum checking off, otherwise almost every +packet will be discarded because of that. The other options can be tuned to +expose different parts of the code. -- cgit v1.2.3