How to Use Socket Fuzzing With CI Fuzz

This article explains how to create a network socket fuzz test

To be able to test your software with a socket fuzz test you need to be able to compile the software into a dynamic library. CI Fuzz will do this automatically if you set the flag for position independent code compilation in the project.yaml file:

- "-fPIC"

After this you can create a network socket fuzz test (e.g. using the VS Code plugin). The following code example shows a networks socket fuzzing test:

#include <flibc.h>

#include <fstream>

#include <signal.h>

#include <iostream>

#include <stdio.h>

int start_server(int argc, char** argv) {

//Put your code to start the target server here:

return 0;


//Used for timeout for select()

struct timeval tv;

fd_set fdread;

//Used to store server responses

uint8_t buf[1024];

//This function is called in a loop. The data and size are the fuzzing data

//The first argument of this function is a method that will be called once when

//the fuzz test is started, so it should be used to start the server application

FUZZ_TCP_SERVER(start_server, 8080, int client_fd, const uint8_t* data, size_t size) {


//Use this if you want to ignore broken pipe signals



//Receive any server banners or messages that are sent when a connection is made

recv(client_fd, buf, 512, 0);

std::cout << buf << "\n";

//Send our fuzzing data to the server

int written = write(client_fd, data, size);


//The following is used to receive potential server answers in a non blocking way.

//Since recv is blocking we need to use select to check if the server is actually sending a response

int selectStatus = 1;

while (selectStatus > 0) {

tv.tv_sec = 0;

tv.tv_usec = 1600;



FD_SET( client_fd, &fdread );

selectStatus = select(client_fd+1, &fdread, NULL, NULL, &tv);

//selectStatus bigger than 0 means we can receive something

if (selectStatus > 0) {

int received_bytes = recv(client_fd, buf, 1024, 0);

std::cout << "Received " << received_bytes << " bytes\n" << buf << "\n";

if (received_bytes == 0) break;

//Here you can process the received bytes, e.g. send a specific second request