Commit a5bcaa70ed for strongswan.org
commit a5bcaa70ed9be8425774ab1e5a1515f9baa9f455
Author: Arthur Chan <arthur.chan@adalogics.com>
Date: Wed Mar 11 21:54:45 2026 +0000
fuzz: Add fuzzer targeting VICI messages
Closes strongswan/strongswan#3026
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
index ec40917496..ca184d868c 100644
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@@ -10,3 +10,4 @@ fuzz_ocsp_rsp_cus
fuzz_ocsp_rsp_def
fuzz_pa_tnc
fuzz_pb_tnc
+fuzz_vici
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index b2801e0c9b..dba75c84a7 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -38,7 +38,7 @@ pb_tnc_ldflags = \
$(top_builddir)/src/libtncif/.libs/libtncif.a \
$(fuzz_ldflags)
-ike_ldflags = \
+charon_ldflags = \
$(top_builddir)/src/libcharon/.libs/libcharon.a \
$(top_builddir)/src/libradius/.libs/libradius.a \
$(fuzz_ldflags)
@@ -51,7 +51,7 @@ fuzzers_with_def = $(fuzzers_with_plugins:%=%_def)
fuzzers_with_cus = $(fuzzers_with_plugins:%=%_cus)
fuzzers_no_plugins = \
- fuzz_ids fuzz_ike fuzz_pa_tnc fuzz_pb_tnc
+ fuzz_ids fuzz_ike fuzz_pa_tnc fuzz_pb_tnc fuzz_vici
ALL_FUZZERS=$(fuzzers_with_def) $(fuzzers_with_cus) $(fuzzers_no_plugins)
@@ -93,7 +93,10 @@ fuzz_ids: fuzz_ids.c ${libfuzzer}
$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
fuzz_ike: fuzz_ike.c ${libfuzzer}
- $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(ike_ldflags)
+ $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(charon_ldflags)
+
+fuzz_vici: fuzz_vici.c ${libfuzzer}
+ $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(charon_ldflags)
noinst_LIBRARIES = libFuzzerLocal.a
libFuzzerLocal_a_SOURCES = libFuzzerLocal.c
diff --git a/fuzz/fuzz_vici.c b/fuzz/fuzz_vici.c
new file mode 100644
index 0000000000..b8a9b75d91
--- /dev/null
+++ b/fuzz/fuzz_vici.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2026 Arthur SC Chan
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <library.h>
+#include <plugins/vici/vici_message.h>
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+ dbg_default_set_level(-1);
+ library_init(NULL, "fuzz_vici");
+ libcharon_init();
+ return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+ enumerator_t *enumerator;
+ vici_message_t *msg;
+ chunk_t data, value;
+ vici_type_t type;
+ char *name;
+ int count;
+
+ if (len < 1)
+ {
+ return 0;
+ }
+
+ data = chunk_create((u_char*)buf, len);
+ msg = vici_message_create_from_data(data, FALSE);
+
+ msg->get_str(msg, NULL, "version");
+ msg->get_int(msg, 0, "timeout");
+ msg->get_bool(msg, FALSE, "enabled");
+ msg->get_value(msg, chunk_empty, "data");
+
+ enumerator = msg->create_enumerator(msg);
+ count = 0;
+ while (count++ < 10000 &&
+ enumerator->enumerate(enumerator, &type, &name, &value));
+ enumerator->destroy(enumerator);
+
+ msg->destroy(msg);
+ return 0;
+}