Skip to content

forked-daapd + AFLNet exits early: dry-run timeouts / no server states detected + connection refused #24

Open
Open
forked-daapd + AFLNet exits early: dry-run timeouts / no server states detected + connection refused#24
@HantaoGG

Description

@HantaoGG
HantaoGG
opened on Feb 6, 2026

Environment

  • OS/Kernel: Ubuntu 22.04.5 LTS (Jammy), Linux 5.15.0-164-generic, x86_64
  • Virtualization: KVM (Common KVM processor), Hypervisor: KVM
  • CPU: 96 vCPU (1 socket × 96 cores × 1 thread)
  • Memory: 256 GiB , Swap: 0
  • Disk: /dev/sda 582.2 GiB (QEMU HARDDISK)

Background

I am trying to reproduce fuzzing runs for 6 protocols using AFLNet (reproducibility of findings is not the focus yet).
The Docker images can be built successfully using the provided Dockerfiles. However, forked-daapd frequently terminates early when fuzzing with AFLNet.

Reproduction

Command:

./run.sh 10 1440 forked-daapd aflnet

Output summary from run.sh:

  • NUM_CONTAINERS: 10
  • TIMEOUT: 86400 s
  • SKIPCOUNT: 1
  • TEST TIMEOUT: 5000 ms
  • TARGET LIST: forked-daapd
  • FUZZER LIST: aflnet

Observed behavior

The fuzzing process terminates very quickly after startup. I observed two major failure patterns:

Case A: Dry run partially succeeds, then exits with “No server states detected” + “Connection refused”

Logs:

* Starting system message bus dbus       [ OK ]
 * Starting Avahi mDNS/DNS-SD Daemon avahi-daemon       [ OK ]
 * dbus is running
Avahi mDNS/DNS-SD Daemon is running
afl-fuzz 2.56b by <lcamtuf@google.com>
[+] You have 96 CPU cores and 6 runnable tasks (utilization: 6%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Checking core_pattern...
[*] Setting up output directories...
[*] Scanning '/home/ubuntu/experiments/in-daap'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:daapd1.raw'...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[!] WARNING: Test case results in a timeout (skipping)
[*] Attempting dry run with 'id:000001,orig:daapd2.raw'...
    len = 2800, map size = 325, exec speed = 1329576 us
[!] WARNING: Instrumentation output varies across runs.
[!] WARNING: Skipped 1 test cases (50.00%) due to timeouts.
[!] WARNING: High percentage of rejected test cases, check settings!
[+] All test cases processed.

[!] WARNING: The target binary is pretty slow! See docs/perf_tips.txt.
[+] Here are some useful stats:

    Test case count : 1 favored, 1 variable, 2 total
       Bitmap range : 325 to 325 bits (average: 325.00 bits)
        Exec timing : 1.33M to 1.33M us (average: 1.33M us)

[+] All set and ready to roll!

[-]  SYSTEM ERROR : No server states have been detected. Server responses are likely empty!
    Stop location : main(), afl-fuzz.c:9255
       OS message : Connection refused

Case B: Both seeds time out during dry run, AFL aborts

Logs:

* Starting system message bus dbus       [ OK ]
 * Starting Avahi mDNS/DNS-SD Daemon avahi-daemon       [ OK ]
 * dbus is running
Avahi mDNS/DNS-SD Daemon is running
afl-fuzz 2.56b by <lcamtuf@google.com>
[+] You have 96 CPU cores and 6 runnable tasks (utilization: 6%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Checking core_pattern...
[*] Setting up output directories...
[*] Scanning '/home/ubuntu/experiments/in-daap'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:daapd1.raw'...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[!] WARNING: Test case results in a timeout (skipping)
[*] Attempting dry run with 'id:000001,orig:daapd2.raw'...
[!] WARNING: Test case results in a timeout (skipping)

[-] PROGRAM ABORT : All test cases time out, giving up!
         Location : perform_dry_run(), afl-fuzz.c:3756

Expected behavior

AFLNet should continue fuzzing after initialization (even if some seeds time out), instead of terminating early due to:

  • all initial seeds timing out, or
  • “No server states detected” combined with “Connection refused”.

Notes / Hypothesis

  • In some runs, one seed can pass dry run but AFLNet later fails with:

    • No server states have been detected (responses might be empty / not parsed as HTTP),
    • and Connection refused (server not listening / server restarted too aggressively / not ready when AFLNet connects).

  • forked-daapd might require a longer warm-up time, or AFLNet might need different defaults for this target (timeouts, server-ready wait, state parser, etc.).

Questions

  1. Are there recommended AFLNet parameters for forked-daapd in this benchmark setup (e.g., -t, -W, -D, enabling/disabling -K, protocol parser choice)?
  2. Is -P HTTP the intended parser for forked-daapd in this repository, or should another protocol/state extractor be used?
  3. Is there a known issue where the forked-daapd server may not be ready / may exit during AFLNet’s initialization, causing Connection refused?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions