[Libwebsockets] Autobahn Fuzzer

Andy Green andy at warmcat.com
Mon Dec 28 10:43:42 CET 2015

Hi -

The last of the big monsters in Github is support the Autobahn fuzzer.

First you can now run it casually with test-echo and documentation on 
how to do


I'm partway through auditing each test, but we now score a lot of 
passes.  It looks like there are still real improvements to shake out 
but there are some things to discuss what to do about.

You can see the current status here


I pushed a bunch of patches that implement various things (none of them 
affect the ABI ;-) )

  - Test-echo has some improvements to make it work with what Autobahn 

  - Lws now responds to zero-length packets and you can send them (Autobahn)

  - The server side of lws has had good RX flow control for a long time 
thanks to the mirror protocol, Autobahn requires it on client side so I 
now re-use it there.  It means if you flow-control RX, you won't get any 
more RX callbacks until you let it come again, effective immediately. 
Previously, he stopped new RX packets coming now he caches any pending 
RX until it's restarted.

  - The api to find out if you're on a FIN fragment of RX told the truth 
about that even if the payload was too big to come at one time in the RX 
callback.  So you got several callbacks in that case all claiming 
correctly to be from a FIN packet.  It's a lot more useful if the FIN 
status is witheld until the last RX callback, that is what it does now.

  - We restricted PING / PONG / CLOSE payloads to 124.  Actually we 
should also have allowed 125.  So the limit and buffer is increased by 
one accordingly.

  - There are several framing sanity tests we didn't bother with like 
reject on reserved opcodes or bits (we ignored them in case an extension 
wanted them), disordered continuation, pending FIN that never came, etc. 
  They're not useful for hacking since the client can just send whatever 
he is trying to send, lws ignored that the state was wrong and just took 
the payload; it will chop it up into the rx buffer the user code can 
handle anyway.  These test to reject bad framing state are now implemented.

Basically I didn't find anything scary so far, but I am still going.

So... Autobahn has a couple of tests that I don't think belong in it, 
2.10 and 2.11 test PING queuing on a single connection, that is not in 
RFC6455 and there is no point implementing that AFAICT.  Lws just keeps 
one ping in flight at a time and ignores the others until that one was 
sent. So we will fail those.

Huge swathes of test are about expectations that we confirm UTF-8 
compliance of ws "text" message payloads.  Until now lws does not get 
involved in the content of the text messages leaving that for the user 
code.  Any feelings about that out there?


More information about the Libwebsockets mailing list