test: Add fuzzing to CI test + minor fix

.github/workflows/fail_on_error.py

@@ -11,7 +11,9 @@ def codeql_sarif_contain_error(filename):
     for run in s.get('runs', []):
         rules_metadata = run['tool']['driver']['rules']
         if not rules_metadata:
-            rules_metadata = run['tool']['extensions'][0]['rules']
+            extensions = run['tool'].get('extensions', [])
+            if extensions and 'rules' in extensions[0]:
+                rules_metadata = extensions[0]['rules']
 
         for res in run.get('results', []):
             if 'ruleIndex' in res:

.github/workflows/fuzzer.yml

@@ -0,0 +1,41 @@
+name: "fuzzing lwip with afl++"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: '*'
+
+jobs:
+  fuzz_test:
+    name: Fuzzer tests for lwip
+
+    runs-on: ubuntu-22.04
+    container: aflplusplus/aflplusplus
+    steps:
+      - name: Checkout lwip
+        uses: actions/checkout@v4
+
+      - name: Run AFL++
+        shell: bash
+        run: |
+          cd test/fuzz
+          CC=afl-gcc-fast CCDEP=gcc make -j 4
+          timeout 10m afl-fuzz -i inputs -o out -- ./lwip_fuzz || \
+          if [ $? -eq 124 ]; then  # timeout exit code
+            if [ -n "$(find out/default/crashes -type f 2>/dev/null)" ]; then
+              echo "Crashes found!";
+              tar -czf out/default/crashes.tar.gz -C out/default crashes;
+              exit 1;
+            fi
+          else
+            exit 1;
+          fi
+
+      - name: Upload Crash Artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-crashes
+          path: test/fuzz/out/default/crashes.tar.gz
+          if-no-files-found: ignore

test/fuzz/Makefile

@@ -1,8 +1,8 @@
 #
 # Copyright (c) 2001, 2002 Swedish Institute of Computer Science.
-# All rights reserved. 
-# 
-# Redistribution and use in source and binary forms, with or without modification, 
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
 # are permitted provided that the following conditions are met:
 #
 # 1. Redistributions of source code must retain the above copyright notice,
@@ -11,29 +11,30 @@
 #    this list of conditions and the following disclaimer in the documentation
 #    and/or other materials provided with the distribution.
 # 3. The name of the author may not be used to endorse or promote products
-#    derived from this software without specific prior written permission. 
+#    derived from this software without specific prior written permission.
 #
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED 
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 
-# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
-# SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
-# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 
-# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 
-# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY 
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
 # OF SUCH DAMAGE.
 #
 # This file is part of the lwIP TCP/IP stack.
-# 
+#
 # Author: Adam Dunkels <[email protected]>
 #
 
 all compile: lwip_fuzz lwip_fuzz2 lwip_fuzz3
 .PHONY: all clean
 
 ifeq ($(origin CC), default)
-CC=afl-gcc
+CC=afl-gcc-fast
+CCDEP=afl-cc
 endif
 
 LDFLAGS=-lm

test/fuzz/README

@@ -1,4 +1,3 @@
-
 Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar)
 
 This directory contains small apps that read Ethernet frames from stdin and
@@ -32,3 +31,15 @@ file to simplify viewing in wireshark.
 The lwipopts.h file needs to have checksum checking off, otherwise almost every
 packet will be discarded because of that. The other options can be tuned to
 expose different parts of the code.
+
+To reproduce crashes or hangs, it's useful to build the fuzz targets locally
+(without AFL) and feed them with the saved output files (supplied as command
+line arguments), for example:
+
+make clean && CC=gcc make
+./lwip_fuzz output/default/crashes/id:000001,sig:11,src:000254,time:13211,execs:374294,op:havoc,rep:3
+
+Note: It's convenient to run AFL++ in a container:
+
+docker pull aflplusplus/aflplusplus:latest
+docker run -ti -v /your-local-lwip-repo/:/lwip aflplusplus/aflplusplus