jfen/ETH_TCP_Demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

初始化版本

Browse Source
This commit is contained in:
冯佳
2026-02-09 10:27:21 +08:00
commit 64d767932f
4467 changed files with 2486822 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
lwip/lwip-2.2.1/test/fuzz/Makefile Normal file
View File

@ -0,0 +1,73 @@
#
# Copyright (c) 2001, 2002 Swedish Institute of Computer Science.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# 3. The name of the author may not be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
# SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
# OF SUCH DAMAGE.
#
# This file is part of the lwIP TCP/IP stack.
#
# Author: Adam Dunkels <adam@sics.se>
#
all compile: lwip_fuzz lwip_fuzz2 lwip_fuzz3
.PHONY: all clean
ifeq ($(origin CC), default)
CC=afl-gcc
endif
LDFLAGS=-lm
# use 'make D=-DUSER_DEFINE' to pass a user define to gcc
CFLAGS=-O2 $(D)
LWIPDIR=../../src
CONTRIBDIR=../../contrib
include $(CONTRIBDIR)/ports/unix/Common.mk
DEPFILES=.depend_fuzz .depend_lwip .depend_app
clean:
rm -f *.o $(LWIPLIBCOMMON) $(APPLIB) lwip_fuzz lwip_fuzz2 lwip_fuzz3 *.s $(DEPFILES) *.core core
depend dep: $(DEPFILES)
@true
ifneq ($(MAKECMDGOALS),clean)
include $(DEPFILES)
endif
.depend_fuzz: fuzz.c fuzz2.c fuzz3.c fuzz_common.c
$(CCDEP) $(CFLAGS) -MM $^ > .depend_fuzz || rm -f .depend_fuzz
.depend_lwip: $(LWIPFILES)
$(CCDEP) $(CFLAGS) -MM $^ > .depend_lwip || rm -f .depend_lwip
.depend_app: $(APPFILES)
$(CCDEP) $(CFLAGS) -MM $^ > .depend_app || rm -f .depend_app
lwip_fuzz: $(DEPFILES) $(LWIPLIBCOMMON) $(APPLIB) fuzz.o fuzz_common.o
$(CC) $(CFLAGS) -o lwip_fuzz fuzz.o fuzz_common.o $(APPLIB) $(LWIPLIBCOMMON) $(LDFLAGS)
lwip_fuzz2: $(DEPFILES) $(LWIPLIBCOMMON) $(APPLIB) fuzz2.o fuzz_common.o
$(CC) $(CFLAGS) -o lwip_fuzz2 fuzz2.o fuzz_common.o $(APPLIB) $(LWIPLIBCOMMON) $(LDFLAGS)
lwip_fuzz3: $(DEPFILES) $(LWIPLIBCOMMON) $(APPLIB) fuzz3.o fuzz_common.o
$(CC) $(CFLAGS) -o lwip_fuzz3 fuzz3.o fuzz_common.o $(APPLIB) $(LWIPLIBCOMMON) $(LDFLAGS)

34
lwip/lwip-2.2.1/test/fuzz/README Normal file
View File

@ -0,0 +1,34 @@
Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar)
This directory contains small apps that read Ethernet frames from stdin and
process them. They are used together with the 'american fuzzy lop' tool (found
at https://lcamtuf.coredump.cx/afl/) or its successor AFL++
(https://github.com/AFLplusplus/AFLplusplus) and the sample inputs to test how
unexpected inputs are handled. The afl tool will read the known inputs, and
try to modify them to exercise as many code paths as possible, by instrumenting
the code and keeping track of which code is executed.
Just running make will produce the test programs.
Then run afl with:
afl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz
and it should start working. It will probably complain about CPU scheduler,
set AFL_SKIP_CPUFREQ=1 to ignore it.
If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try
executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'".
The input is split into different subdirectories since they test different
parts of the code, and since you want to run one instance of afl-fuzz on each
core.
When afl finds a crash or a hang, the input that caused it will be placed in
the output directory. If you have hexdump and text2pcap tools installed,
running output_to_pcap.sh <outputdir> will create pcap files for each input
file to simplify viewing in wireshark.
The lwipopts.h file needs to have checksum checking off, otherwise almost every
packet will be discarded because of that. The other options can be tuned to
expose different parts of the code.

0
lwip/lwip-2.2.1/test/fuzz/config.h Normal file
View File

39
lwip/lwip-2.2.1/test/fuzz/fuzz.c Normal file
View File

@ -0,0 +1,39 @@
/*
* Copyright (c) 2001-2003 Swedish Institute of Computer Science.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Erik Ekman <erik@kryo.se>
* Simon Goldschmidt <goldsimon@gmx.de>
*
*/
#include "fuzz_common.h"
int main(int argc, char** argv)
{
return lwip_fuzztest(argc, argv, LWIP_FUZZ_SINGLE, LWIP_FUZZ_DEFAULT);
}

39
lwip/lwip-2.2.1/test/fuzz/fuzz2.c Normal file
View File

@ -0,0 +1,39 @@
/*
* Copyright (c) 2001-2003 Swedish Institute of Computer Science.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Erik Ekman <erik@kryo.se>
* Simon Goldschmidt <goldsimon@gmx.de>
*
*/
#include "fuzz_common.h"
int main(int argc, char** argv)
{
return lwip_fuzztest(argc, argv, LWIP_FUZZ_MULTIPACKET, LWIP_FUZZ_DEFAULT);
}

40
lwip/lwip-2.2.1/test/fuzz/fuzz3.c Normal file
View File

@ -0,0 +1,40 @@
/*
* Copyright (c) 2001-2003 Swedish Institute of Computer Science.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Erik Ekman <erik@kryo.se>
* Simon Goldschmidt <goldsimon@gmx.de>
*
*/
#include "fuzz_common.h"
int main(int argc, char** argv)
{
return lwip_fuzztest(argc, argv, LWIP_FUZZ_MULTIPACKET_TIME,
LWIP_FUZZ_STATICARP|LWIP_FUZZ_TCP_SERVER|LWIP_FUZZ_TCP_CLIENT|LWIP_FUZZ_UDP_SERVER|LWIP_FUZZ_UDP_CLIENT);
}

704
lwip/lwip-2.2.1/test/fuzz/fuzz_common.c Normal file
View File

@ -0,0 +1,704 @@
/*
* Copyright (c) 2001-2003 Swedish Institute of Computer Science.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Erik Ekman <erik@kryo.se>
* Simon Goldschmidt <goldsimon@gmx.de>
*
*/
#include "fuzz_common.h"
#include "lwip/altcp_tcp.h"
#include "lwip/dns.h"
#include "lwip/init.h"
#include "lwip/netif.h"
#include "lwip/sys.h"
#include "lwip/timeouts.h"
#include "lwip/udp.h"
#include "netif/etharp.h"
#if LWIP_IPV6
#include "lwip/ethip6.h"
#include "lwip/nd6.h"
#endif
#include "lwip/apps/httpd.h"
#include "lwip/apps/snmp.h"
#include "lwip/apps/lwiperf.h"
#include "lwip/apps/mdns.h"
#include <string.h>
#include <stdio.h>
static u8_t pktbuf[200000];
static const u8_t *remfuzz_ptr; /* remaining fuzz pointer */
static size_t remfuzz_len; /* remaining fuzz length */
#ifndef FUZZ_DEBUG
#define FUZZ_DEBUG LWIP_DBG_OFF
#endif
#ifdef LWIP_FUZZ_SYS_NOW
/* This offset should be added to the time 'sys_now()' returns */
u32_t sys_now_offset;
#endif
/** Set this to 1 and define FUZZ_DUMP_PCAP_FILE to dump tx and rx packets into
* a pcap file. At the same time, packet info is written via LWIP_DEBUGF so
* packets can be matched to other events for debugging them.
*/
#ifndef FUZZ_DUMP_PCAP
#define FUZZ_DUMP_PCAP 0
#endif
#if FUZZ_DUMP_PCAP
const u8_t pcap_file_header[24] = {
0xd4, 0xc3, 0xb2, 0xa1, 0x02, 0x00, 0x04, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00
};
static FILE* fpcap;
static u32_t pcap_packet;
static void pcap_dump_init(void)
{
fpcap = fopen(FUZZ_DUMP_PCAP_FILE, "wb");
if (fpcap != NULL) {
/* write header */
fwrite(pcap_file_header, 1, sizeof(pcap_file_header), fpcap);
}
}
/* This function might have to be called from LWIP_PLATFORM_ASSERT()
* in order to produce correct pcap results on crash.
* Define this global so that for a test, we can call this from anywhere...
*/
void pcap_dump_stop(void);
void pcap_dump_stop(void)
{
if (fpcap != NULL) {
fclose(fpcap);
fpcap = NULL;
}
}
static void pcap_dump_packet(struct pbuf *p, int is_tx)
{
if (fpcap != NULL) {
struct pbuf *q;
u32_t data;
pcap_packet++;
if (is_tx) {
LWIP_DEBUGF(FUZZ_DEBUG, ("> %d fuzz: netif: send %u bytes\n", pcap_packet, p->tot_len));
} else {
LWIP_DEBUGF(FUZZ_DEBUG, ("< %d fuzz: RX packet of %u bytes\n", pcap_packet, p->tot_len));
if (pcap_packet == 50 || pcap_packet == 33 || pcap_packet == 29) {
pcap_packet++;
pcap_packet--;
}
}
/* write packet header */
fwrite(&pcap_packet, 1, sizeof(pcap_packet), fpcap);
data = 0;
fwrite(&data, 1, sizeof(data), fpcap);
data = p->tot_len;
fwrite(&data, 1, sizeof(data), fpcap);
fwrite(&data, 1, sizeof(data), fpcap);
/* write packet data */
for(q = p; q != NULL; q = q->next) {
fwrite(q->payload, 1, q->len, fpcap);
}
}
}
static void pcap_dump_rx_packet(struct pbuf *p)
{
pcap_dump_packet(p, 0);
}
static void pcap_dump_tx_packet(struct pbuf *p)
{
pcap_dump_packet(p, 1);
}
#else /* FUZZ_DUMP_PCAP */
#define pcap_dump_rx_packet(p)
#define pcap_dump_tx_packet(p)
#define pcap_dump_init()
#define pcap_dump_stop()
#endif /* FUZZ_DUMP_PCAP */
/* no-op send function */
static err_t lwip_tx_func(struct netif *netif, struct pbuf *p)
{
pcap_dump_tx_packet(p);
LWIP_UNUSED_ARG(netif);
LWIP_UNUSED_ARG(p);
return ERR_OK;
}
static err_t testif_init(struct netif *netif)
{
netif->name[0] = 'f';
netif->name[1] = 'z';
netif->output = etharp_output;
netif->linkoutput = lwip_tx_func;
netif->mtu = 1500;
netif->hwaddr_len = 6;
netif->flags = NETIF_FLAG_BROADCAST | NETIF_FLAG_ETHARP | NETIF_FLAG_IGMP;
netif->hwaddr[0] = 0x00;
netif->hwaddr[1] = 0x23;
netif->hwaddr[2] = 0xC1;
netif->hwaddr[3] = 0xDE;
netif->hwaddr[4] = 0xD0;
netif->hwaddr[5] = 0x0D;
#if LWIP_IPV6
netif->output_ip6 = ethip6_output;
netif_create_ip6_linklocal_address(netif, 1);
netif->flags |= NETIF_FLAG_MLD6;
#endif
return ERR_OK;
}
static void input_pkt(struct netif *netif, const u8_t *data, size_t len)
{
struct pbuf *p, *q;
err_t err;
if (len > 0xFFFF) {
printf("pkt too big (%#zX bytes)\n", len);
return;
}
p = pbuf_alloc(PBUF_RAW, (u16_t)len, PBUF_POOL);
LWIP_ASSERT("alloc failed", p);
for(q = p; q != NULL; q = q->next) {
MEMCPY(q->payload, data, q->len);
data += q->len;
}
remfuzz_ptr += len;
remfuzz_len -= len;
pcap_dump_rx_packet(p);
err = netif->input(p, netif);
if (err != ERR_OK) {
pbuf_free(p);
}
}
static void input_pkts(enum lwip_fuzz_type type, struct netif *netif, const u8_t *data, size_t len)
{
size_t packet_nr = 0;
remfuzz_ptr = data;
remfuzz_len = len;
if (type == LWIP_FUZZ_SINGLE) {
input_pkt(netif, data, len);
} else {
const u16_t max_packet_size = 1514;
const size_t minlen = sizeof(u16_t) + (type == LWIP_FUZZ_MULTIPACKET_TIME ? sizeof(u32_t) : 0);
while (remfuzz_len > minlen) {
u16_t frame_len;
#ifdef LWIP_FUZZ_SYS_NOW
u32_t external_delay = 0;
#endif
packet_nr++;
if (type == LWIP_FUZZ_MULTIPACKET_TIME) {
#ifdef LWIP_FUZZ_SYS_NOW
/* Extract external delay time from fuzz pool */
memcpy(&external_delay, remfuzz_ptr, sizeof(u32_t));
external_delay = ntohl(external_delay);
#endif
remfuzz_ptr += sizeof(u32_t);
remfuzz_len -= sizeof(u32_t);
}
memcpy(&frame_len, remfuzz_ptr, sizeof(u16_t));
remfuzz_ptr += sizeof(u16_t);
remfuzz_len -= sizeof(u16_t);
frame_len = ntohs(frame_len) & 0x7FF;
frame_len = LWIP_MIN(frame_len, max_packet_size);
if (frame_len > remfuzz_len) {
frame_len = (u16_t)remfuzz_len;
}
if (frame_len != 0) {
if (type == LWIP_FUZZ_MULTIPACKET_TIME) {
#ifdef LWIP_FUZZ_SYS_NOW
/* Update total external delay time, and check timeouts */
sys_now_offset += external_delay;
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: sys_now_offset += %u -> %u\n", external_delay, sys_now_offset));
#endif
sys_check_timeouts();
}
input_pkt(netif, remfuzz_ptr, frame_len);
/* Check timeouts again */
sys_check_timeouts();
}
}
}
}
#if LWIP_TCP
static struct altcp_pcb *tcp_client_pcb; /* a pcb for the TCP client */
static struct altcp_pcb *tcp_server_pcb; /* a pcb for the TCP server */
static u16_t tcp_remote_port; /* a TCP port number of the destination */
static u16_t tcp_local_port; /* a TCP port number of the local server */
/**
* tcp_app_fuzz_input
* Input fuzz with a write function for TCP.
*/
static void
tcp_app_fuzz_input(struct altcp_pcb *pcb)
{
if (remfuzz_len > sizeof(u16_t)) {
/*
* (max IP packet size) - ((minimum IP header size) + (minimum TCP header size))
* = 65535 - (20 + 20)
* = 65495
*/
const u16_t max_data_size = 65495;
u16_t data_len;
memcpy(&data_len, remfuzz_ptr, sizeof(u16_t));
remfuzz_ptr += sizeof(u16_t);
remfuzz_len -= sizeof(u16_t);
data_len = ntohs(data_len);
data_len = LWIP_MIN(data_len, max_data_size);
if (data_len > remfuzz_len) {
data_len = (u16_t)remfuzz_len;
}
if (data_len != 0) {
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: write %u bytes\n", data_len));
altcp_write(pcb, remfuzz_ptr, data_len, TCP_WRITE_FLAG_COPY);
altcp_output(pcb);
} else {
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: close\n"));
altcp_close(pcb);
}
remfuzz_ptr += data_len;
remfuzz_len -= data_len;
}
}
/**
* tcp_client_connected
* A connected callback function (for the TCP client)
*/
static err_t
tcp_client_connected(void *arg, struct altcp_pcb *pcb, err_t err)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(err);
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: tcp_client_connected\n"));
tcp_app_fuzz_input(pcb);
return ERR_OK;
}
/**
* tcp_client_recv
* A recv callback function (for the TCP client)
*/
static err_t
tcp_client_recv(void *arg, struct altcp_pcb *pcb, struct pbuf *p, err_t err)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(err);
if (p == NULL) {
altcp_close(pcb);
} else {
altcp_recved(pcb, p->tot_len);
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: tcp_client_recv: %d\n", p->tot_len));
tcp_app_fuzz_input(pcb);
pbuf_free(p);
}
return ERR_OK;
}
/**
* tcp_client_sent
* A sent callback function (for the TCP client)
*/
static err_t
tcp_client_sent(void *arg, struct altcp_pcb *pcb, u16_t len)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(pcb);
LWIP_UNUSED_ARG(len);
return ERR_OK;
}
/**
* tcp_client_poll
* A poll callback function (for the TCP client)
*/
static err_t
tcp_client_poll(void *arg, struct altcp_pcb *pcb)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(pcb);
return ERR_OK;
}
/**
* tcp_client_err
* An err callback function (for the TCP client)
*/
static void
tcp_client_err(void *arg, err_t err)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(err);
}
/**
* tcp_server_recv
* A recv callback function (for the TCP server)
*/
static err_t
tcp_server_recv(void *arg, struct altcp_pcb *pcb, struct pbuf *p, err_t err)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(err);
if (p == NULL) {
altcp_close(pcb);
} else {
altcp_recved(pcb, p->tot_len);
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: tcp_server_recv: %d\n", p->tot_len));
tcp_app_fuzz_input(pcb);
pbuf_free(p);
}
return ERR_OK;
}
/**
* tcp_server_sent
* A sent callback function (for the TCP server)
*/
static err_t
tcp_server_sent(void *arg, struct altcp_pcb *pcb, u16_t len)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(pcb);
LWIP_UNUSED_ARG(len);
return ERR_OK;
}
/**
* tcp_server_poll
* A poll callback function (for the TCP server)
*/
static err_t
tcp_server_poll(void *arg, struct altcp_pcb *pcb)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(pcb);
return ERR_OK;
}
/**
* tcp_server_err
* An err callbuck function (for the TCP server)
*/
static void
tcp_server_err(void *arg, err_t err)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(err);
}
/**
* tcp_server_accept
* An accept callbuck function (for the TCP server)
*/
static err_t
tcp_server_accept(void *arg, struct altcp_pcb *pcb, err_t err)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(err);
if ((err != ERR_OK) || (pcb == NULL)) {
return ERR_VAL;
}
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: accept from remote\n"));
altcp_setprio(pcb, TCP_PRIO_MIN);
altcp_recv(pcb, tcp_server_recv);
altcp_err(pcb, tcp_server_err);
altcp_poll(pcb, tcp_server_poll, 10);
altcp_sent(pcb, tcp_server_sent);
return ERR_OK;
}
#endif /* LWIP_TCP */
#if LWIP_UDP
static struct udp_pcb *udp_client_pcb; /* a pcb for the UDP client */
static struct udp_pcb *udp_server_pcb; /* a pcb for the UDP server */
static u16_t udp_remote_port; /* a UDP port number of the destination */
static u16_t udp_local_port; /* a UDP port number of the local server*/
/**
* udp_app_fuzz_input
* Input fuzz with write functions for UDP.
*/
static void
udp_app_fuzz_input(struct udp_pcb *pcb, const ip_addr_t *addr, u16_t port)
{
if (remfuzz_len > sizeof(u16_t)) {
/*
* (max IP packet size) - ((minimum IP header size) - (minimum UDP header size))
* = 65535 - (20 + 8)
* = 65507
*/
const u16_t max_data_size = 65507;
u16_t data_len;
memcpy(&data_len, remfuzz_ptr, sizeof(u16_t));
remfuzz_ptr += sizeof(u16_t);
remfuzz_len -= sizeof(u16_t);
data_len = ntohs(data_len);
data_len = LWIP_MIN(data_len, max_data_size);
if (data_len > remfuzz_len) {
data_len = (u16_t)remfuzz_len;
}
LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: udp: send %u bytes\n", data_len));
if (data_len != 0) {
struct pbuf *p, *q;
p = pbuf_alloc(PBUF_RAW, (u16_t)data_len, PBUF_POOL);
LWIP_ASSERT("alloc failed", p);
for (q = p; q != NULL; q = q->next) {
MEMCPY(q->payload, remfuzz_ptr, q->len);
remfuzz_ptr += q->len;
}
remfuzz_len -= data_len;
/*
* Trying input from ...
*
* client:
* The pcb has information about the destination.
* We use udp_send().
*
* server:
* The pcb does NOT have information about the destination.
* We use udp_sendto().
*/
if (addr == NULL) {
udp_send(pcb, p);
} else {
udp_sendto(pcb, p, addr, port);
}
pbuf_free(p);
}
}
}
/**
* udp_client_recv
* A recv callback function (for the UDP client)
*/
static void
udp_client_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(p);
LWIP_UNUSED_ARG(addr);
LWIP_UNUSED_ARG(port);
if (p == NULL) {
udp_disconnect(pcb);
} else {
/*
* We call the function with 2nd argument set to NULL
* to input fuzz from udp_send.
*/
udp_app_fuzz_input(pcb, NULL, port);
pbuf_free(p);
}
}
/**
* udp_server_recv
* A recv callback functyion (for the UDP server)
*/
static void
udp_server_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port)
{
LWIP_UNUSED_ARG(arg);
LWIP_UNUSED_ARG(p);
LWIP_UNUSED_ARG(addr);
LWIP_UNUSED_ARG(port);
if (p != NULL) {
udp_app_fuzz_input(pcb, addr, port);
pbuf_free(p);
}
}
#endif /* LWIP_UDP */
int lwip_fuzztest(int argc, char** argv, enum lwip_fuzz_type type, u32_t test_apps)
{
struct netif net_test;
ip4_addr_t addr;
ip4_addr_t netmask;
ip4_addr_t gw;
size_t len;
err_t err;
ip_addr_t remote_addr; /* a IPv4 addr of the destination */
struct eth_addr remote_mac = ETH_ADDR(0x28, 0x00, 0x00, 0x22, 0x2b, 0x38); /* a MAC addr of the destination */
pcap_dump_init();
lwip_init();
IP4_ADDR(&addr, 172, 30, 115, 84);
IP4_ADDR(&netmask, 255, 255, 255, 0);
IP4_ADDR(&gw, 172, 30, 115, 1);
netif_add(&net_test, &addr, &netmask, &gw, &net_test, testif_init, ethernet_input);
netif_set_up(&net_test);
netif_set_link_up(&net_test);
if (test_apps & LWIP_FUZZ_STATICARP) {
/* Add the ARP entry */
IP_ADDR4(&remote_addr, 172, 30, 115, 37);
etharp_add_static_entry(&(remote_addr.u_addr.ip4), &remote_mac);
}
#if LWIP_IPV6
nd6_tmr(); /* tick nd to join multicast groups */
#endif
dns_setserver(0, &net_test.gw);
if (test_apps & LWIP_FUZZ_DEFAULT) {
/* initialize apps */
httpd_init();
lwiperf_start_tcp_server_default(NULL, NULL);
mdns_resp_init();
mdns_resp_add_netif(&net_test, "hostname");
snmp_init();
}
if (test_apps & LWIP_FUZZ_TCP_CLIENT) {
tcp_client_pcb = altcp_tcp_new_ip_type(IPADDR_TYPE_ANY);
LWIP_ASSERT("Error: altcp_new() failed", tcp_client_pcb != NULL);
tcp_remote_port = 80;
err = altcp_connect(tcp_client_pcb, &remote_addr, tcp_remote_port, tcp_client_connected);
LWIP_ASSERT("Error: altcp_connect() failed", err == ERR_OK);
altcp_recv(tcp_client_pcb, tcp_client_recv);
altcp_err(tcp_client_pcb, tcp_client_err);
altcp_poll(tcp_client_pcb, tcp_client_poll, 10);
altcp_sent(tcp_client_pcb, tcp_client_sent);
}
if (test_apps & LWIP_FUZZ_TCP_SERVER) {
tcp_server_pcb = altcp_tcp_new_ip_type(IPADDR_TYPE_ANY);
LWIP_ASSERT("Error: altcp_new() failed", tcp_server_pcb != NULL);
altcp_setprio(tcp_server_pcb, TCP_PRIO_MIN);
tcp_local_port = 80;
err = altcp_bind(tcp_server_pcb, IP_ANY_TYPE, tcp_local_port);
LWIP_ASSERT("Error: altcp_bind() failed", err == ERR_OK);
tcp_server_pcb = altcp_listen(tcp_server_pcb);
LWIP_ASSERT("Error: altcp_listen() failed", err == ERR_OK);
altcp_accept(tcp_server_pcb, tcp_server_accept);
}
if (test_apps & LWIP_FUZZ_UDP_CLIENT) {
udp_client_pcb = udp_new();
udp_new_ip_type(IPADDR_TYPE_ANY);
udp_recv(udp_client_pcb, udp_client_recv, NULL);
udp_remote_port = 161;
udp_connect(udp_client_pcb, &remote_addr, udp_remote_port);
}
if (test_apps & LWIP_FUZZ_UDP_SERVER) {
udp_server_pcb = udp_new();
udp_new_ip_type(IPADDR_TYPE_ANY);
udp_local_port = 161;
udp_bind(udp_server_pcb, IP_ANY_TYPE, udp_local_port);
udp_recv(udp_server_pcb, udp_server_recv, NULL);
}
if(argc > 1) {
FILE* f;
const char* filename;
printf("reading input from file... ");
fflush(stdout);
filename = argv[1];
LWIP_ASSERT("invalid filename", filename != NULL);
f = fopen(filename, "rb");
LWIP_ASSERT("open failed", f != NULL);
len = fread(pktbuf, 1, sizeof(pktbuf), f);
fclose(f);
printf("testing file: \"%s\"...\r\n", filename);
} else {
len = fread(pktbuf, 1, sizeof(pktbuf), stdin);
}
input_pkts(type, &net_test, pktbuf, len);
pcap_dump_stop();
return 0;
}
#ifdef LWIP_RAND_FOR_FUZZ
u32_t lwip_fuzz_rand(void)
{
#ifdef LWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC
/* this is what glibc rand() returns (first 20 numbers) */
static u32_t rand_nrs[] = {0x6b8b4567, 0x327b23c6, 0x643c9869, 0x66334873, 0x74b0dc51,
0x19495cff, 0x2ae8944a, 0x625558ec, 0x238e1f29, 0x46e87ccd,
0x3d1b58ba, 0x507ed7ab, 0x2eb141f2, 0x41b71efb, 0x79e2a9e3,
0x7545e146, 0x515f007c, 0x5bd062c2, 0x12200854, 0x4db127f8};
static unsigned idx = 0;
u32_t ret = rand_nrs[idx];
idx++;
if (idx >= sizeof(rand_nrs)/sizeof((rand_nrs)[0])) {
idx = 0;
}
return ret;
#else
/* a simple LCG, unsafe but should give the same result for every execution (best for fuzzing) */
u32_t result;
static s32_t state[1] = {0xdeadbeef};
uint64_t val = state[0] & 0xffffffff;
val = ((val * 1103515245) + 12345) & 0x7fffffff;
state[0] = (s32_t)val;
result = (u32_t)val;
return result;
#endif
}
#endif

62
lwip/lwip-2.2.1/test/fuzz/fuzz_common.h Normal file
View File

@ -0,0 +1,62 @@
/*
* Copyright (c) 2001-2004 Swedish Institute of Computer Science.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Simon Goldschmidt <goldsimon@gmx.de>
*
*/
#ifndef LWIP_HDR_FUZZ_COMMON_H
#define LWIP_HDR_FUZZ_COMMON_H
#include "lwip/opt.h"
#include "lwip/arch.h"
#ifdef __cplusplus
extern "C" {
#endif
enum lwip_fuzz_type {
LWIP_FUZZ_SINGLE = 0,
LWIP_FUZZ_MULTIPACKET = 1,
LWIP_FUZZ_MULTIPACKET_TIME = 2
};
/* bitmask of what to test: */
#define LWIP_FUZZ_DEFAULT 0x01
#define LWIP_FUZZ_STATICARP 0x02
#define LWIP_FUZZ_TCP_SERVER 0x04
#define LWIP_FUZZ_TCP_CLIENT 0x08
#define LWIP_FUZZ_UDP_SERVER 0x10
#define LWIP_FUZZ_UDP_CLIENT 0x20
int lwip_fuzztest(int argc, char** argv, enum lwip_fuzz_type type, u32_t test_apps);
#ifdef __cplusplus
}
#endif
#endif /* LWIP_HDR_FUZZ_COMMON_H */

BIN
lwip/lwip-2.2.1/test/fuzz/inputs/arp/arp_req.bin Normal file
View File

Binary file not shown.

BIN
lwip/lwip-2.2.1/test/fuzz/inputs/icmp/icmp_ping.bin Normal file
View File

Binary file not shown.

BIN
lwip/lwip-2.2.1/test/fuzz/inputs/ipv6/neighbor_solicitation.bin Normal file
View File

Binary file not shown.

BIN
lwip/lwip-2.2.1/test/fuzz/inputs/ipv6/router_adv.bin Normal file
View File

Binary file not shown.

BIN
lwip/lwip-2.2.1/test/fuzz/inputs/tcp/tcp_syn.bin Normal file
View File

Binary file not shown.

BIN
lwip/lwip-2.2.1/test/fuzz/inputs/udp/udp_port_5000.bin Normal file
View File

Binary file not shown.

84
lwip/lwip-2.2.1/test/fuzz/lwipopts.h Normal file
View File

@ -0,0 +1,84 @@
/*
* Copyright (c) 2001-2003 Swedish Institute of Computer Science.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Simon Goldschmidt
*
*/
#ifndef LWIP_HDR_LWIPOPTS_H__
#define LWIP_HDR_LWIPOPTS_H__
#define MEMP_NUM_SYS_TIMEOUT 17
#define LWIP_FUZZ_SYS_NOW
#define LWIP_RAND_FOR_FUZZ
/* Prevent having to link sys_arch.c (we don't test the API layers in unit tests) */
#define NO_SYS 1
#define LWIP_NETCONN 0
#define LWIP_SOCKET 0
#define SYS_LIGHTWEIGHT_PROT 0
#define LWIP_IPV6 1
#define IPV6_FRAG_COPYHEADER 1
#define LWIP_IPV6_DUP_DETECT_ATTEMPTS 0
/* Enable some protocols to test them */
#define LWIP_DHCP 1
#define LWIP_AUTOIP 1
#define LWIP_IGMP 1
#define LWIP_DNS 1
#define LWIP_ALTCP 1
/* Turn off checksum verification of fuzzed data */
#define CHECKSUM_CHECK_IP 0
#define CHECKSUM_CHECK_UDP 0
#define CHECKSUM_CHECK_TCP 0
#define CHECKSUM_CHECK_ICMP 0
#define CHECKSUM_CHECK_ICMP6 0
/* Minimal changes to opt.h required for tcp unit tests: */
#define MEM_SIZE 16000
#define TCP_SND_QUEUELEN 40
#define MEMP_NUM_TCP_SEG TCP_SND_QUEUELEN
#define TCP_OVERSIZE 1
#define TCP_SND_BUF (12 * TCP_MSS)
#define TCP_WND (10 * TCP_MSS)
#define LWIP_WND_SCALE 1
#define TCP_RCV_SCALE 2
#define PBUF_POOL_SIZE 400 /* pbuf tests need ~200KByte */
/* Minimal changes to opt.h required for etharp unit tests: */
#define ETHARP_SUPPORT_STATIC_ENTRIES 1
#define LWIP_NUM_NETIF_CLIENT_DATA 1
#define LWIP_SNMP 1
#define MIB2_STATS 1
#define LWIP_MDNS_RESPONDER 1
#endif /* LWIP_HDR_LWIPOPTS_H__ */

31
lwip/lwip-2.2.1/test/fuzz/output_to_pcap.sh Normal file
View File

@ -0,0 +1,31 @@
#!/bin/bash
if [ -z "$1" ]
then
echo "This script will make pcap files from the afl-fuzz crash/hang files"
echo "It needs hexdump and text2pcap"
echo "Please give output directory as argument"
exit 2
fi
for i in `ls $1/crashes/id*`
do
PCAPNAME=`echo $i | grep pcap`
if [ -z "$PCAPNAME" ]; then
hexdump -C $i > $1/$$.tmp
text2pcap $1/$$.tmp ${i}.pcap
fi
done
for i in `ls $1/hangs/id*`
do
PCAPNAME=`echo $i | grep pcap`
if [ -z "$PCAPNAME" ]; then
hexdump -C $i > $1/$$.tmp
text2pcap $1/$$.tmp ${i}.pcap
fi
done
rm -f $1/$$.tmp
echo
echo "Created pcap files:"
ls $1/*/*.pcap