High level conclusions

Fuzzers reach 63.29% of cyclomatic complexity.

Fuzzers reach 58.25% of all functions.

Fuzzer wnm is blocked:

The runtime code coverage of wnm covers 6.327% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer ap-mgmt is blocked:

The runtime code coverage of ap-mgmt covers 10.75% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer tls-server is blocked:

The runtime code coverage of tls-server covers 29.87% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer dpp-uri is blocked:

The runtime code coverage of dpp-uri covers 10.01% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer pasn-resp is blocked:

The runtime code coverage of pasn-resp covers 26.29% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

3084 / 5294

Cyclomatic complexity statically reachable by fuzzers

23923 / 37796

Runtime code coverage of functions

1172 / 5294

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: sae

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	103	41.8%
gold	[1:9]	3	1.21%
yellow	[10:29]	3	1.21%
greenyellow	[30:49]	16	6.50%
lawngreen	50+	121	49.1%
All colors	246	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
90	90	1 : View List ['sae_parse_commit_element_ffc']	90	90	sae_parse_commit_element	call site: 00118	/src/hostap/src/common/sae.c:2054
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00182	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00090	/src/hostap/src/utils/wpa_debug.c:281
4	4	2 : View List ['BN_num_bits', 'BN_bn2bin']	4	4	crypto_bignum_to_bin	call site: 00146	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2055
3	125	3 : View List ['sae_clear_data', 'crypto_bignum_init_set', 'dh_groups_get']	3	125	sae_set_group	call site: 00056	/src/hostap/src/common/sae.c:46
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	0	None	6	6	crypto_ec_point_from_bin	call site: 00160	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2601
0	0	None	4	273	sae_parse_commit	call site: 00118	/src/hostap/src/common/sae.c:2213
0	0	None	3	226	sae_set_group	call site: 00022	/src/hostap/src/common/sae.c:33
0	0	None	0	42	sae_parse_password_identifier	call site: 00180	/src/hostap/src/common/sae.c:2109
0	0	None	0	40	sae_parse_rejected_groups	call site: 00213	/src/hostap/src/common/sae.c:2148
0	0	None	0	7	sae_parse_commit_scalar	call site: 00104	/src/hostap/src/common/sae.c:1923

Runtime coverage analysis

Covered functions

58

Functions that are reachable but not covered

46

Reachable functions

104

Percentage of reachable functions covered

55.77%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/sae/sae.c	1
tests/fuzzing/sae/../fuzzer-common.c	1
src/utils/os_unix.c	5
src/common/sae.c	18
src/common/../utils/common.h	2
src/utils/wpa_debug.c	6
tests/fuzzing/sae/../../../src/common/dragonfly.c	1
tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c	20
src/utils/wpabuf.c	4
src/utils/common.c	2
tests/fuzzing/sae/../../../src/crypto/dh_groups.c	1
src/common/../utils/wpabuf.h	3
src/utils/./wpabuf.h	3
src/common/../utils/wpa_debug.h	1

Fuzzer: json

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7	9.85%
gold	[1:9]	4	5.63%
yellow	[10:29]	4	5.63%
greenyellow	[30:49]	5	7.04%
lawngreen	50+	51	71.8%
All colors	71	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	0	None	6	261	json_parse	call site: 00005	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:238
0	0	None	6	261	json_parse	call site: 00032	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:304
0	0	None	6	261	json_parse	call site: 00041	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:376
0	0	None	6	261	json_parse	call site: 00047	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:428
0	0	None	2	17	json_parse_string	call site: 00023	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:76
0	0	None	2	17	json_parse_string	call site: 00024	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:91
0	0	None	2	2	json_parse_number	call site: 00045	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:179
0	0	None	0	3	json_parse	call site: 00045	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:424
0	0	None	0	0	json_parse_number	call site: 00045	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:175

Runtime coverage analysis

Covered functions

17

Functions that are reachable but not covered

12

Reachable functions

29

Percentage of reachable functions covered

58.62%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/json/json.c	1
tests/fuzzing/json/../fuzzer-common.c	1
tests/fuzzing/json/../../../src/utils/json.c	9
tests/fuzzing/json/../../../src/utils/wpa_debug.c	2
tests/fuzzing/json/../../../src/utils/os_unix.c	2
tests/fuzzing/json/../../../src/utils/common.c	3
tests/fuzzing/json/../../../src/utils/os.h	1

Fuzzer: eap-mschapv2-peer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	48.0%
gold	[1:9]	1	2.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	25	50.0%
All colors	50	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
82	82	2 : View List ['wpabuf_put_be24', 'wpabuf_put_be32']	82	82	eap_msg_alloc	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_common/eap_common.c:146
59	107	2 : View List ['generate_nt_response_pwhash', 'generate_authenticator_response_pwhash']	59	318	mschapv2_derive_response	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/mschapv2.c:63
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00000	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00035	/src/hostap/src/utils/wpa_debug.c:281
4	16	2 : View List ['eap_mschapv2_deinit', 'os_memdup']	4	16	eap_mschapv2_init	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:126
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	4	1 : View List ['wpabuf_free']	0	4	eap_mschapv2_challenge_reply	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:211
0	2	1 : View List ['eap_sm_request_identity']	0	2	eap_mschapv2_check_config	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:718
0	2	1 : View List ['eap_sm_request_password']	0	2	eap_mschapv2_check_config	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:724
0	0	None	8	32	eap_mschapv2_init	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:117
0	0	None	0	231	eap_mschapv2_challenge_reply	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:196
0	0	None	0	231	eap_mschapv2_challenge_reply	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:206

Runtime coverage analysis

Covered functions

89

Functions that are reachable but not covered

12

Reachable functions

32

Percentage of reachable functions covered

62.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eap-mschapv2-peer/eap-mschapv2-peer.c	3
tests/fuzzing/eap-mschapv2-peer/../fuzzer-common.c	1
tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c	1
src/utils/os_unix.c	2
tests/fuzzing/eap-mschapv2-peer/../../../src/utils/common.h	1
src/utils/wpabuf.c	5
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/eap-mschapv2-peer/../../../src/utils/wpa_debug.h	1
tests/fuzzing/eap-mschapv2-peer/../../../src/utils/wpabuf.h	2

Fuzzer: eap-aka-peer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	48.0%
gold	[1:9]	1	2.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	25	50.0%
All colors	50	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
492	849	9 : View List ['wpa_hexdump', 'eap_aka_prime_derive_keys_reauth', 'eap_aka_response_reauth', 'eap_sim_derive_keys_reauth', 'eap_aka_clear_identities', 'eap_sim_parse_encr', 'free', 'eap_aka_state', 'eap_aka_learn_ids']	492	1242	eap_aka_process_reauthentication	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1366
203	271	4 : View List ['eap_sim_msg_add_encr_start', 'eap_sim_msg_add_encr_end', 'eap_sim_msg_add', 'eap_sim_msg_free']	203	412	eap_aka_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:867
109	109	2 : View List ['eap_aka_ext_sim_result', 'eap_aka_ext_sim_req']	109	109	eap_aka_umts_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:292
103	103	1 : View List ['eap_aka_process_notification_reauth']	103	103	eap_aka_process_notification_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1282
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00000	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00035	/src/hostap/src/utils/wpa_debug.c:281
2	2	1 : View List ['eap_aka_prime_derive_keys']	2	574	eap_aka_process_challenge	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1179
2	2	1 : View List ['eap_sm_request_identity']	2	2	eap_aka_process	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1477
2	2	1 : View List ['eap_sim_verify_mac_sha256']	2	2	eap_aka_verify_mac	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:951
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	135	2 : View List ['wpabuf_free', 'eap_aka_client_error']	0	135	eap_aka_process_identity	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:932
0	75	1 : View List ['eap_sim_msg_add_mac']	0	141	eap_aka_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:883

Runtime coverage analysis

Covered functions

99

Functions that are reachable but not covered

12

Reachable functions

32

Percentage of reachable functions covered

62.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eap-aka-peer/eap-aka-peer.c	3
tests/fuzzing/eap-aka-peer/../fuzzer-common.c	1
tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c	1
src/utils/os_unix.c	2
tests/fuzzing/eap-aka-peer/../../../src/utils/common.h	1
src/utils/wpabuf.c	5
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/eap-aka-peer/../../../src/utils/wpa_debug.h	1
tests/fuzzing/eap-aka-peer/../../../src/utils/wpabuf.h	2

Fuzzer: x509

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	54	15.2%
gold	[1:9]	25	7.04%
yellow	[10:29]	21	5.91%
greenyellow	[30:49]	20	5.63%
lawngreen	50+	235	66.1%
All colors	355	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00105	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00045	/src/hostap/src/utils/wpa_debug.c:281
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	31	1 : View List ['x509_certificate_free']	0	31	x509_certificate_parse	call site: 00350	/src/hostap/src/tls/x509v3.c:1807
0	0	None	0	900	x509_parse_tbs_certificate	call site: 00187	/src/hostap/src/tls/x509v3.c:1557
0	0	None	0	31	x509_certificate_parse	call site: 00039	/src/hostap/src/tls/x509v3.c:1754
0	0	None	0	6	x509_certificate_free	call site: 00039	/src/hostap/src/tls/x509v3.c:49
0	0	None	0	3	x509_parse_name	call site: 00101	/src/hostap/src/tls/x509v3.c:408
0	0	None	0	3	x509_parse_name	call site: 00133	/src/hostap/src/tls/x509v3.c:440
0	0	None	0	0	asn1_oid_to_str	call site: 00229	/src/hostap/src/tls/asn1.c:357
0	0	None	0	0	x509_parse_algorithm_identifier	call site: 00076	/src/hostap/src/tls/x509v3.c:200
0	0	None	0	0	x509_parse_name	call site: 00086	/src/hostap/src/tls/x509v3.c:312

Runtime coverage analysis

Covered functions

74

Functions that are reachable but not covered

17

Reachable functions

91

Percentage of reachable functions covered

81.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/x509/x509.c	1
tests/fuzzing/x509/../fuzzer-common.c	1
src/tls/x509v3.c	40
src/utils/os_unix.c	5
src/tls/asn1.c	10
src/utils/wpa_debug.c	6
src/tls/./asn1.h	11
src/utils/common.c	1
src/tls/../utils/os.h	1

Fuzzer: radius

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	55	29.5%
gold	[1:9]	1	0.53%
yellow	[10:29]	3	1.61%
greenyellow	[30:49]	4	2.15%
lawngreen	50+	123	66.1%
All colors	186	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
39	39	1 : View List ['wpabuf_put_u8']	39	130	radius_msg_add_attr	call site: 00055	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:796
16	18	2 : View List ['wpabuf_mhead', 'wpabuf_resize']	55	334	radius_msg_add_attr	call site: 00049	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:789
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00162	/src/hostap/src/utils/wpa_debug.c:281
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	7	1 : View List ['radius_msg_free']	0	7	radius_msg_new	call site: 00012	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:111
0	4	1 : View List ['MD5Transform']	0	4	MD5Update	call site: 00082	/src/hostap/src/crypto/md5-internal.c:121
0	2	1 : View List ['wpabuf_len']	0	2	radius_msg_finish	call site: 00095	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:479
0	0	None	55	342	radius_msg_add_attr	call site: 00041	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:751
0	0	None	55	336	radius_msg_add_attr	call site: 00046	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:765
0	0	None	55	336	radius_msg_add_attr	call site: 00047	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:775
0	0	None	2	33	radius_msg_finish	call site: 00035	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:468
0	0	None	2	8	radius_msg_finish	call site: 00034	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:464

Runtime coverage analysis

Covered functions

61

Functions that are reachable but not covered

21

Reachable functions

82

Percentage of reachable functions covered

74.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/radius/radius.c	1
tests/fuzzing/radius/../fuzzer-common.c	1
src/utils/os_unix.c	6
tests/fuzzing/radius/../../../src/radius/radius.c	23
src/utils/wpabuf.c	6
tests/fuzzing/radius/../../../src/utils/os.h	2
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/radius/../../../src/utils/wpabuf.h	8
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/utils/common.c	4
src/utils/../utils/os.h	1
tests/fuzzing/radius/../../../src/utils/common.h	2
tests/fuzzing/radius/../../../src/utils/wpa_debug.h	1

Fuzzer: pasn-init

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	795	68.1%
gold	[1:9]	25	2.14%
yellow	[10:29]	16	1.37%
greenyellow	[30:49]	4	0.34%
lawngreen	50+	327	28.0%
All colors	1167	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
974	974	5 : View List ['wpas_pasn_wd_fils_rx', 'pmksa_cache_get', 'wpas_pasn_wd_sae_rx', 'pmksa_cache_add', 'wpa_key_mgmt_ft.1744']	974	974	wpas_pasn_set_pmk	call site: 00762	/src/hostap/tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c:843
77	77	1 : View List ['wpa_ltf_keyseed']	794	1060	wpa_pasn_auth_rx	call site: 01066	/src/hostap/tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c:1319
73	73	2 : View List ['wpa_parse_wpa_ie_wpa', 'WPA_GET_BE32.1503']	73	313	wpa_parse_wpa_ie	call site: 00607	/src/hostap/tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c:31
49	49	1 : View List ['sha384_vector']	49	49	pasn_auth_frame_hash	call site: 00526	/src/hostap/tests/fuzzing/pasn-init/../../../src/common/wpa_common.c:1731
36	36	1 : View List ['sha384_prf']	36	241	pasn_pmk_to_ptk	call site: 01051	/src/hostap/tests/fuzzing/pasn-init/../../../src/common/wpa_common.c:1512
24	24	1 : View List ['sae_deinit_pt']	24	31	wpa_pasn_reset	call site: 01159	/src/hostap/tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c:794
21	21	1 : View List ['hmac_sha384']	21	55	pasn_mic	call site: 01096	/src/hostap/tests/fuzzing/pasn-init/../../../src/common/wpa_common.c:1693
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00198	/src/hostap/src/utils/wpa_debug.c:281
4	8	3 : View List ['wpabuf_free', 'ERR_error_string', 'ERR_get_error']	16	20	crypto_ecdh_set_peerkey	call site: 00738	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:3067
4	4	2 : View List ['ERR_error_string', 'ERR_get_error']	10	14	crypto_ecdh_get_pubkey	call site: 00094	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2920
4	4	2 : View List ['BN_num_bits', 'BN_bn2bin']	4	4	crypto_bignum_to_bin	call site: 00099	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2055
2	2	1 : View List ['BN_new']	14	123	crypto_ecdh_get_pubkey	call site: 00091	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2911

Runtime coverage analysis

Covered functions

101

Functions that are reachable but not covered

192

Reachable functions

292

Percentage of reachable functions covered

34.25%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/pasn-init/pasn-init.c	1
tests/fuzzing/pasn-init/../fuzzer-common.c	1
tests/fuzzing/pasn-init/../../../src/utils/os_unix.c	7
tests/fuzzing/pasn-init/../../../src/utils/common.c	7
tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c	16
tests/fuzzing/pasn-init/../../../src/common/dragonfly.c	3
tests/fuzzing/pasn-init/../../../src/utils/wpa_debug.c	7
tests/fuzzing/pasn-init/../../../src/common/ieee802_11_common.c	9
tests/fuzzing/pasn-init/../../../src/crypto/crypto_openssl.c	46
tests/fuzzing/pasn-init/../../../src/utils/wpabuf.c	7
tests/fuzzing/pasn-init/../../../src/utils/wpabuf.h	11
tests/fuzzing/pasn-init/../../../src/common/wpa_common.c	29
tests/fuzzing/pasn-init/../../../src/common/defs.h	4
tests/fuzzing/pasn-init/../../../src/rsn_supp/pmksa_cache.c	2
tests/fuzzing/pasn-init/../../../src/common/sae.c	41
tests/fuzzing/pasn-init/../../../src/crypto/dh_groups.c	1
tests/fuzzing/pasn-init/../../../src/utils/common.h	6
tests/fuzzing/pasn-init/../../../src/utils/wpa_debug.h	1
tests/fuzzing/pasn-init/../../../src/eapol_supp/eapol_supp_sm.h	4
tests/fuzzing/pasn-init/../../../src/common/ieee802_11_common.h	1
tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c	1
tests/fuzzing/pasn-init/../../../src/crypto/sha256-prf.c	2
tests/fuzzing/pasn-init/../../../src/crypto/sha384-prf.c	2
tests/fuzzing/pasn-init/../../../src/pasn/pasn_common.c	1

Fuzzer: asn1

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	29	34.1%
gold	[1:9]	6	7.05%
yellow	[10:29]	8	9.41%
greenyellow	[30:49]	1	1.17%
lawngreen	50+	41	48.2%
All colors	85	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00067	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00039	/src/hostap/src/utils/wpa_debug.c:281
0	0	None	0	0	asn1_get_next	call site: 00005	/src/hostap/src/tls/asn1.c:180
0	0	None	0	0	asn1_oid_to_str	call site: 00057	/src/hostap/src/tls/asn1.c:357
0	0	None	0	0	asn1_parse	call site: 00033	/src/hostap/tests/fuzzing/asn1/asn1.c:86
0	0	None	0	0	asn1_parse	call site: 00033	/src/hostap/tests/fuzzing/asn1/asn1.c:111

Runtime coverage analysis

Covered functions

19

Functions that are reachable but not covered

9

Reachable functions

28

Percentage of reachable functions covered

67.86%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/asn1/asn1.c	3
tests/fuzzing/asn1/../fuzzer-common.c	1
tests/fuzzing/asn1/../../../src/tls/asn1.c	8
tests/fuzzing/asn1/../../../src/utils/wpa_debug.c	6
tests/fuzzing/asn1/../../../src/utils/os_unix.c	1
tests/fuzzing/asn1/../../../src/tls/asn1.h	1
tests/fuzzing/asn1/../../../src/utils/os.h	1

Fuzzer: pasn-resp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	805	73.7%
gold	[1:9]	53	4.85%
yellow	[10:29]	50	4.57%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	184	16.8%
All colors	1092	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
953	1028	6 : View List ['ieee802_11_defrag', 'wpa_key_mgmt_ft.1739', 'pmksa_cache_auth_get', 'pasn_derive_keys', 'pasn_wd_handle_sae_commit', 'pasn_auth_frame_hash']	953	1388	handle_auth_pasn_1	call site: 00323	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:837
641	788	16 : View List ['os_zalloc', 'wpabuf_put', 'wpabuf_zeropad', 'pasn_mic_len', 'wpa_pasn_add_extra_ies', 'free', 'wpa_pasn_add_parameter_ie', 'wpa_pasn_add_wrapped_data', 'crypto_ecdh_get_pubkey', 'wpabuf_alloc', 'pasn_get_wrapped_data', 'wpabuf_put_data.1708', 'pasn_mic', 'wpabuf_put_u8.1712', 'wpa_pasn_add_rsne', 'crypto_ecdh_prime_len']	641	820	handle_auth_pasn_resp	call site: 00806	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:509
140	140	1 : View List ['pasn_wd_handle_sae_confirm']	140	270	handle_auth_pasn_3	call site: 01038	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:1080
21	21	1 : View List ['hmac_sha384']	21	55	pasn_mic	call site: 00998	/src/hostap/tests/fuzzing/pasn-init/../../../src/common/wpa_common.c:1693
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00056	/src/hostap/src/utils/wpa_debug.c:281
4	8	3 : View List ['wpabuf_free', 'ERR_error_string', 'ERR_get_error']	16	20	crypto_ecdh_set_peerkey	call site: 00310	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:3067
4	4	2 : View List ['AES_unwrap_key', 'OPENSSL_cleanse']	4	4	aes_unwrap	call site: 01071	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:736
2	2	1 : View List ['clock_gettime']	2	2	os_get_reltime	call site: 00187	/src/hostap/src/utils/os_unix.c:94
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	28	1 : View List ['wpa_hexdump']	0	28	__ieee802_11_parse_elems	call site: 00053	/src/hostap/src/common/ieee802_11_common.c:699
0	7	1 : View List ['wpabuf_alloc']	0	7	wpabuf_resize	call site: 00330	/src/hostap/src/utils/wpabuf.c:54
0	0	None	1091	1843	handle_auth_pasn_1	call site: 00134	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:732

Runtime coverage analysis

Covered functions

77

Functions that are reachable but not covered

213

Reachable functions

289

Percentage of reachable functions covered

26.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/pasn-resp/pasn-resp.c	3
tests/fuzzing/pasn-resp/../fuzzer-common.c	1
tests/fuzzing/pasn-resp/../../../src/utils/os_unix.c	8
tests/fuzzing/pasn-resp/../../../src/utils/eloop.c	4
tests/fuzzing/pasn-resp/../../../src/utils/list.h	2
tests/fuzzing/pasn-resp/../../../src/utils/wpa_debug.c	7
tests/fuzzing/pasn-resp/../../../src/pasn/pasn_common.c	3
tests/fuzzing/pasn-resp/../../../src/utils/common.c	7
tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c	10
tests/fuzzing/pasn-resp/../../../src/common/ieee802_11_common.c	8
tests/fuzzing/pasn-resp/../../../src/utils/common.h	7
tests/fuzzing/pasn-resp/../../../src/common/ieee802_11_common.h	1
tests/fuzzing/pasn-resp/../../../src/common/wpa_common.c	23
tests/fuzzing/pasn-resp/../../../src/ap/comeback_token.c	3
tests/fuzzing/pasn-resp/../../../src/crypto/crypto_openssl.c	46
tests/fuzzing/pasn-resp/../../../src/utils/wpabuf.c	7
tests/fuzzing/pasn-resp/../../../src/utils/wpabuf.h	11
tests/fuzzing/pasn-resp/../../../src/utils/os.h	3
tests/fuzzing/pasn-resp/../../../src/common/sae.c	40
tests/fuzzing/pasn-resp/../../../src/common/dragonfly.c	3
tests/fuzzing/pasn-resp/../../../src/crypto/dh_groups.c	1
tests/fuzzing/pasn-resp/../../../src/utils/wpa_debug.h	1
tests/fuzzing/pasn-resp/../../../src/common/defs.h	3
tests/fuzzing/pasn-resp/../../../src/crypto/sha256-prf.c	2
tests/fuzzing/pasn-resp/../../../src/crypto/sha384-prf.c	2

Fuzzer: p2p

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1406	59.8%
gold	[1:9]	144	6.13%
yellow	[10:29]	87	3.70%
greenyellow	[30:49]	62	2.63%
lawngreen	50+	650	27.6%
All colors	2349	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1125	3211	10 : View List ['p2p_channels_intersect', 'p2p_channel_random_social', 'p2p_peer_channels_check', 'p2p_check_pref_chan', 'p2p_invite_send', 'p2p_channel_to_freq', 'p2p_clear_timeout', 'p2p_set_state', 'p2p_parse_free', 'p2p_parse']	1125	3236	p2p_process_invitation_resp	call site: 01742	/src/hostap/src/p2p/p2p_invitation.c:505
1096	1096	1 : View List ['p2p_go_neg_failed']	1096	1120	p2p_device_free	call site: 00365	/src/hostap/src/p2p/p2p.c:946
585	945	14 : View List ['p2p_buf_add_config_timeout', 'p2p_buf_add_intended_addr', 'p2p_buf_add_persistent_group_info', 'is_zero_ether_addr.1253', 'p2ps_add_new_group_info', 'p2p_is_peer_6ghz_capab', 'p2p_buf_add_connection_capability', 'p2p_buf_add_operating_channel', 'p2p_buf_add_feature_capability', 'p2p_buf_add_capability', 'is_p2p_6ghz_capable', 'p2p_buf_add_channel_list', 'p2p_buf_add_session_id', 'p2p_buf_add_device_info']	639	1179	p2p_build_prov_disc_resp	call site: 01881	/src/hostap/src/p2p/p2p_pd.c:394
384	409	10 : View List ['p2p_check_pref_chan_recv', 'p2p_channels_includes', 'p2p_is_peer_6ghz_capab', 'p2p_dbg', 'os_snprintf_error.602', 'is_6ghz_freq', 'p2p_pref_freq_allowed', 'p2p_check_pref_chan_no_recv', 'p2p_freq_to_channel', 'is_p2p_6ghz_capable']	384	409	p2p_check_pref_chan	call site: 01434	/src/hostap/src/p2p/p2p_go_neg.c:732
135	135	1 : View List ['p2p_buf_add_service_instance']	135	135	p2p_build_probe_resp_ies	call site: 00965	/src/hostap/src/p2p/p2p.c:2385
128	1624	8 : View List ['wpabuf_len', 'wpabuf_head', 'p2p_group_presence_req', 'p2p_build_presence_resp', 'p2p_send_action', 'wpabuf_free', 'p2p_parse_free', 'p2p_parse']	128	1639	p2p_process_presence_req	call site: 02204	/src/hostap/src/p2p/p2p.c:4743
116	131	2 : View List ['p2p_pref_channel_filter', 'p2p_channels_dump']	218	759	p2p_build_go_neg_resp	call site: 01492	/src/hostap/src/p2p/p2p_go_neg.c:371
80	1184	7 : View List ['wpabuf_head_u8.1486', 'wpabuf_head.1450', 'wpabuf_len.1451', 'p2p_build_gas_comeback_resp', 'p2p_send_action', 'wpabuf_free', 'ether_addr_equal.1461']	80	1209	p2p_rx_gas_comeback_req	call site: 02121	/src/hostap/src/p2p/p2p_sd.c:648
76	76	1 : View List ['p2p_buf_add_group_id']	89	193	p2p_build_invitation_resp	call site: 01723	/src/hostap/src/p2p/p2p_invitation.c:168
54	54	1 : View List ['p2p_buf_add_advertisement_id']	54	144	p2p_build_prov_disc_resp	call site: 01902	/src/hostap/src/p2p/p2p_pd.c:489
53	53	1 : View List ['p2p_freq_to_channel']	53	244	p2p_process_invitation_req	call site: 01688	/src/hostap/src/p2p/p2p_invitation.c:305
48	48	1 : View List ['p2p_buf_add_group_bssid']	137	241	p2p_build_invitation_resp	call site: 01722	/src/hostap/src/p2p/p2p_invitation.c:165

Runtime coverage analysis

Covered functions

216

Functions that are reachable but not covered

168

Reachable functions

376

Percentage of reachable functions covered

55.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/p2p/p2p.c	3
tests/fuzzing/p2p/../fuzzer-common.c	1
src/utils/os_unix.c	7
src/utils/eloop.c	11
src/utils/./list.h	5
src/utils/wpa_debug.c	6
src/p2p/p2p.c	85
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	3
src/p2p/../utils/list.h	3
src/p2p/p2p_utils.c	20
src/p2p/../utils/os.h	4
src/utils/./os.h	2
src/p2p/p2p_parse.c	8
src/common/ieee802_11_common.c	20
src/common/../utils/common.h	3
src/common/./ieee802_11_common.h	1
src/utils/wpabuf.c	8
src/common/../utils/wpabuf.h	8
src/utils/./wpabuf.h	6
src/wps/wps_attr_parse.c	5
src/wps/../utils/wpabuf.h	7
src/wps/../utils/common.h	5
src/wps/../utils/wpa_debug.h	1
src/p2p/../utils/common.h	12
src/wps/wps_common.c	1
src/wps/../utils/os.h	1
src/p2p/../utils/wpabuf.h	13
src/utils/common.c	7
src/p2p/../utils/wpa_debug.h	1
src/p2p/p2p_pd.c	22
src/p2p/p2p_build.c	36
src/p2p/p2p_sd.c	14
src/common/gas.c	11
src/p2p/p2p_go_neg.c	19
src/wps/wps_attr_build.c	3
src/p2p/p2p_invitation.c	6
src/p2p/p2p_group.c	8
src/p2p/p2p_dev_disc.c	5

Fuzzer: eap-sim-peer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	48.0%
gold	[1:9]	1	2.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	25	50.0%
All colors	50	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
106	106	2 : View List ['eap_sim_ext_sim_result', 'eap_sim_ext_sim_req']	106	106	eap_sim_gsm_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:289
103	103	1 : View List ['eap_sim_process_notification_reauth']	103	103	eap_sim_process_notification_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:1018
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00000	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00035	/src/hostap/src/utils/wpa_debug.c:281
7	271	4 : View List ['eap_sim_msg_add_encr_start', 'eap_sim_msg_add_encr_end', 'eap_sim_msg_add', 'eap_sim_msg_free']	7	412	eap_sim_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:743
7	7	1 : View List ['eap_sim_msg_free']	7	7	eap_sim_response_reauth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:717
4	4	1 : View List ['realloc']	4	4	wpabuf_resize	call site: 00000	/src/hostap/src/utils/wpabuf.c:69
2	2	1 : View List ['eap_sm_request_identity']	2	2	eap_sim_process	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:1205
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	75	1 : View List ['eap_sim_msg_add_mac']	0	141	eap_sim_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:759
0	68	1 : View List ['eap_sim_msg_add']	0	209	eap_sim_response_reauth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:723
0	60	2 : View List ['wpa_hexdump', 'WPA_GET_BE16']	0	60	eap_sim_parse_attr	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_common/eap_sim_common.c:795

Runtime coverage analysis

Covered functions

96

Functions that are reachable but not covered

12

Reachable functions

32

Percentage of reachable functions covered

62.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eap-sim-peer/eap-sim-peer.c	3
tests/fuzzing/eap-sim-peer/../fuzzer-common.c	1
tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c	1
src/utils/os_unix.c	2
tests/fuzzing/eap-sim-peer/../../../src/utils/common.h	1
src/utils/wpabuf.c	5
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/eap-sim-peer/../../../src/utils/wpa_debug.h	1
tests/fuzzing/eap-sim-peer/../../../src/utils/wpabuf.h	2

Fuzzer: dpp-uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3338	95.8%
gold	[1:9]	5	0.14%
yellow	[10:29]	17	0.48%
greenyellow	[30:49]	21	0.60%
lawngreen	50+	101	2.90%
All colors	3482	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	1 : View List ['ieee80211_chan_to_freq_us']	53	96	ieee80211_chan_to_freq	call site: 00065	/src/hostap/src/common/ieee802_11_common.c:2028
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00018	/src/hostap/src/utils/wpa_debug.c:423
15	15	1 : View List ['ieee80211_chan_to_freq_eu']	35	73	ieee80211_chan_to_freq	call site: 00067	/src/hostap/src/common/ieee802_11_common.c:2034
14	14	1 : View List ['ieee80211_chan_to_freq_jp']	20	53	ieee80211_chan_to_freq	call site: 00069	/src/hostap/src/common/ieee802_11_common.c:2040
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00121	/src/hostap/src/utils/wpa_debug.c:281
6	6	1 : View List ['ieee80211_chan_to_freq_cn']	6	34	ieee80211_chan_to_freq	call site: 00071	/src/hostap/src/common/ieee802_11_common.c:2046
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	0	None	6942	6942	dpp_relay_flush_controllers	call site: 03469	/src/hostap/tests/fuzzing/dpp-uri/../../../src/common/dpp_tcp.c:2379
0	0	None	3486	3486	dpp_controller_free	call site: 03477	/src/hostap/tests/fuzzing/dpp-uri/../../../src/common/dpp_tcp.c:721
0	0	None	26	26	openssl_digest_vector	call site: 00138	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:345
0	0	None	18	18	openssl_digest_vector	call site: 00139	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:347
0	0	None	18	18	openssl_digest_vector	call site: 00144	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:354

Runtime coverage analysis

Covered functions

62

Functions that are reachable but not covered

557

Reachable functions

619

Percentage of reachable functions covered

10.02%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/dpp-uri/dpp-uri.c	1
tests/fuzzing/dpp-uri/../fuzzer-common.c	1
src/utils/os_unix.c	11
tests/fuzzing/dpp-uri/../../../src/common/dpp.c	90
tests/fuzzing/dpp-uri/../../../src/utils/list.h	3
src/utils/wpa_debug.c	9
src/common/ieee802_11_common.c	8
src/utils/common.c	14
src/utils/ip_addr.c	2
src/utils/base64.c	7
tests/fuzzing/dpp-uri/../../../src/common/dpp_crypto.c	40
tests/fuzzing/dpp-uri/../../../src/crypto/crypto_openssl.c	67
src/utils/../utils/os.h	2
tests/fuzzing/dpp-uri/../../../src/utils/os.h	1
tests/fuzzing/dpp-uri/../../../src/common/dpp_tcp.c	37
src/utils/eloop.c	8
src/utils/./list.h	3
src/utils/./os.h	3
src/utils/wpabuf.c	8
src/utils/./wpabuf.h	5
tests/fuzzing/dpp-uri/../../../src/crypto/sha256-kdf.c	1
tests/fuzzing/dpp-uri/../../../src/crypto/sha384-kdf.c	1
tests/fuzzing/dpp-uri/../../../src/crypto/sha512-kdf.c	1
tests/fuzzing/dpp-uri/../../../src/utils/wpa_debug.h	2
tests/fuzzing/dpp-uri/../../../src/utils/wpabuf.h	13
src/utils/json.c	20
tests/fuzzing/dpp-uri/../../../src/utils/common.h	8
tests/fuzzing/dpp-uri/../../../src/crypto/aes-siv.c	7
tests/fuzzing/dpp-uri/../../../src/crypto/aes-ctr.c	1
src/common/gas.c	2
src/common/../utils/wpabuf.h	1
tests/fuzzing/dpp-uri/../../../src/common/dpp_auth.c	14
tests/fuzzing/dpp-uri/../../../src/common/dpp_backup.c	17
tests/fuzzing/dpp-uri/../../../src/common/dpp_reconfig.c	5
tests/fuzzing/dpp-uri/../../../src/common/dpp_pkex.c	11
tests/fuzzing/dpp-uri/../../../src/tls/asn1.c	22
tests/fuzzing/dpp-uri/../../../src/tls/asn1.h	7
/usr/include/openssl/x509.h	2

Fuzzer: tls-server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1514	81.9%
gold	[1:9]	281	15.2%
yellow	[10:29]	24	1.29%
greenyellow	[30:49]	17	0.91%
lawngreen	50+	12	0.64%
All colors	1848	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
614	614	1 : View List ['tlsv1_set_key_enc_pem']	614	614	tlsv1_set_key	call site: 00716	/src/hostap/src/tls/tlsv1_cred.c:1012
579	579	1 : View List ['pkcs8_enc_key_import']	579	789	crypto_private_key_import	call site: 00446	/src/hostap/src/crypto/crypto_internal-rsa.c:49
250	250	1 : View List ['tlsv1_client_deinit']	250	481	tls_connection_deinit	call site: 01822	/src/hostap/src/crypto/tls_internal.c:155
85	89	5 : View List ['WPA_GET_BE16', 'wpabuf_alloc', 'wpabuf_put_data', 'wpa_hexdump_buf', 'wpabuf_free']	85	89	read_msg	call site: 00855	/src/hostap/tests/fuzzing/tls-server/tls-server.c:31
43	43	1 : View List ['crypto_cipher_init']	43	43	tlsv1_record_change_write_cipher	call site: 01585	/src/hostap/src/tls/tlsv1_record.c:86
43	43	1 : View List ['crypto_cipher_init']	43	43	tlsv1_record_change_read_cipher	call site: 01424	/src/hostap/src/tls/tlsv1_record.c:120
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00149	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['mp_copy']	28	39	mp_mul_2d	call site: 00461	/src/hostap/src/tls/./libtommath.c:1382
14	14	1 : View List ['mp_lshd']	14	18	mp_mul_2d	call site: 00464	/src/hostap/src/tls/./libtommath.c:1395
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00089	/src/hostap/src/utils/wpa_debug.c:281
4	4	1 : View List ['crypto_cipher_deinit']	47	47	tlsv1_record_change_write_cipher	call site: 01584	/src/hostap/src/tls/tlsv1_record.c:82
4	4	1 : View List ['crypto_cipher_deinit']	47	47	tlsv1_record_change_read_cipher	call site: 01423	/src/hostap/src/tls/tlsv1_record.c:116

Runtime coverage analysis

Covered functions

121

Functions that are reachable but not covered

284

Reachable functions

405

Percentage of reachable functions covered

29.88%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/tls-server/tls-server.c	2
tests/fuzzing/tls-server/../fuzzer-common.c	1
src/crypto/tls_internal.c	11
src/tls/tlsv1_client.c	10
src/crypto/crypto_internal.c	5
src/tls/tlsv1_server.c	14
src/utils/os_unix.c	8
src/tls/tlsv1_cred.c	15
src/tls/x509v3.c	59
src/utils/wpa_debug.c	8
src/crypto/crypto_internal-rsa.c	8
src/tls/rsa.c	6
src/tls/bignum.c	12
src/tls/./libtommath.c	42
src/utils/common.c	7
src/tls/asn1.c	10
src/tls/./asn1.h	12
src/tls/../utils/os.h	1
src/utils/base64.c	2
src/tls/pkcs8.c	2
src/tls/pkcs5.c	13
src/tls/../utils/common.h	6
src/crypto/sha1-pbkdf2.c	2
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/crypto/crypto_internal-cipher.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/aes-internal-dec.c	5
src/crypto/./aes_i.h	1
src/crypto/des-internal.c	9
src/crypto/md5-internal.c	5
src/crypto/rc4.c	1
src/crypto/../utils/common.h	4
src/tls/tlsv1_common.c	12
src/crypto/sha256-internal.c	5
src/crypto/sha384-internal.c	4
src/crypto/sha512-internal.c	5
tests/fuzzing/tls-server/../../../src/utils/common.h	1
src/utils/wpabuf.c	7
tests/fuzzing/tls-server/../../../src/utils/wpabuf.h	4
src/utils/./wpabuf.h	4
tests/fuzzing/tls-server/../../../src/utils/wpa_debug.h	1
src/crypto/../utils/wpabuf.h	4
src/tls/tlsv1_record.c	5
src/tls/tlsv1_server_read.c	12
src/crypto/crypto_internal-modexp.c	1
src/crypto/sha256-tlsprf.c	1
src/crypto/sha256.c	2
src/crypto/sha1-tlsprf.c	1
src/crypto/md5.c	2
src/tls/pkcs1.c	4
src/tls/tlsv1_server_write.c	13
src/tls/../utils/wpabuf.h	4

Fuzzer: eapol-supp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1316	69.1%
gold	[1:9]	36	1.89%
yellow	[10:29]	26	1.36%
greenyellow	[30:49]	20	1.05%
lawngreen	50+	504	26.4%
All colors	1902	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2201	2201	1 : View List ['wpa_sm_rx_eapol_wpa']	2201	2207	wpa_sm_rx_eapol	call site: 00645	/src/hostap/src/rsn_supp/wpa.c:3985
2100	2100	1 : View List ['wpa_supplicant_process_3_of_4']	2100	2106	wpa_sm_rx_eapol	call site: 01569	/src/hostap/src/rsn_supp/wpa.c:4112
793	793	1 : View List ['eapol_sm_abort_cached']	793	1636	eapol_sm_rx_eapol	call site: 00592	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1370
246	246	1 : View List ['wpa_derive_ptk_ft']	246	246	wpa_derive_ptk	call site: 01116	/src/hostap/src/rsn_supp/wpa.c:724
134	134	1 : View List ['wpa_sm_tptk_to_ptk']	138	457	wpa_supplicant_verify_eapol_key_mic	call site: 00653	/src/hostap/src/rsn_supp/wpa.c:3476
91	227	7 : View List ['eap_sm_build_expanded_nak', 'wpa_hexdump', 'eap_msg_alloc', 'eap_allowed_method', 'eap_update_len', 'wpabuf_put', 'wpabuf_put_u8.1541']	91	227	eap_sm_buildNak	call site: 00421	/src/hostap/src/eap_peer/eap.c:1460
82	82	2 : View List ['wpabuf_put_be24', 'wpabuf_put_be32']	82	82	eap_msg_alloc	call site: 00351	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_common/eap_common.c:146
80	80	3 : View List ['free', 'x509_certificate_chain_free', 'crypto_private_key_free']	80	80	tlsv1_cred_free	call site: 01449	/src/hostap/src/tls/tlsv1_cred.c:31
55	844	2 : View List ['eap_notify_lower_layer_success', 'eapol_sm_step']	55	844	eapol_sm_notify_lower_layer_success	call site: 00636	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1836
54	54	1 : View List ['wpa_insert_pmkid']	54	491	wpa_supplicant_send_2_of_4	call site: 01229	/src/hostap/src/rsn_supp/wpa.c:545
52	52	1 : View List ['wpa_gen_wpa_ie_wpa']	52	52	wpa_gen_wpa_ie	call site: 00544	/src/hostap/tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c:287
49	92	2 : View List ['sm_EAP_FAILURE_Enter', 'wpa_msg']	49	92	sm_EAP_Step	call site: 00185	/src/hostap/src/eap_peer/eap.c:1370

Runtime coverage analysis

Covered functions

223

Functions that are reachable but not covered

248

Reachable functions

458

Percentage of reachable functions covered

45.85%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eapol-supp/eapol-supp.c	4
tests/fuzzing/eapol-supp/../fuzzer-common.c	1
src/utils/os_unix.c	9
src/utils/eloop.c	18
src/utils/./list.h	5
src/utils/wpa_debug.c	8
src/rsn_supp/wpa.c	73
src/rsn_supp/../utils/list.h	3
src/rsn_supp/pmksa_cache.c	12
src/utils/./os.h	4
src/utils/common.c	4
src/rsn_supp/./wpa_i.h	21
src/eapol_supp/eapol_supp_sm.c	50
src/eap_peer/eap.c	62
src/eap_peer/../utils/list.h	1
src/crypto/tls_internal.c	2
src/tls/tlsv1_client.c	2
src/crypto/crypto_internal.c	2
src/tls/tlsv1_server.c	2
src/utils/wpabuf.c	6
src/eapol_supp/../utils/wpabuf.h	2
src/eap_peer/../utils/wpabuf.h	7
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/crypto/sha1-internal.c	5
src/eap_peer/../utils/common.h	4
src/utils/./wpabuf.h	5
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	6
src/eap_common/../utils/common.h	4
src/eap_peer/eap_methods.c	2
src/rsn_supp/wpa_ie.c	5
src/rsn_supp/../utils/common.h	7
src/common/wpa_common.c	32
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/crypto/sha1.c	2
src/crypto/aes-omac1.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/common/../utils/common.h	5
src/rsn_supp/../common/wpa_common.h	3
src/common/../utils/os.h	1
src/rsn_supp/../common/defs.h	8
src/common/./defs.h	7
src/rsn_supp/wpa_ft.c	5
src/crypto/sha256-prf.c	2
src/common/ieee802_11_common.c	4
src/crypto/sha1-prf.c	1
src/crypto/rc4.c	1
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
src/rsn_supp/preauth.c	6
src/l2_packet/l2_packet_linux.c	3
src/l2_packet/../utils/common.h	2
src/tls/tlsv1_cred.c	1
src/tls/x509v3.c	3
src/crypto/crypto_internal-rsa.c	1
src/tls/rsa.c	1
src/tls/bignum.c	1
src/tls/./libtommath.c	1
src/common/../utils/wpabuf.h	2

Fuzzer: tls-client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	673	38.1%
gold	[1:9]	90	5.09%
yellow	[10:29]	106	6.00%
greenyellow	[30:49]	40	2.26%
lawngreen	50+	856	48.4%
All colors	1765	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1382	1382	1 : View List ['tls_process_certificate_status']	1382	1382	tls_process_server_key_exchange	call site: 00418	/src/hostap/src/tls/tlsv1_client_read.c:1063
377	401	5 : View List ['bignum_mul', 'bignum_add', 'bignum_mulmod', 'bignum_sub', 'bignum_init']	377	1076	crypto_rsa_exptmod	call site: 00915	/src/hostap/src/tls/rsa.c:277
241	293	6 : View List ['wpabuf_alloc', 'wpabuf_put', 'wpabuf_mhead', 'wpabuf_size', 'tlsv1_server_decrypt', 'wpabuf_free']	241	293	tls_connection_decrypt2	call site: 01687	/src/hostap/src/crypto/tls_internal.c:616
231	231	1 : View List ['tlsv1_server_deinit']	231	231	tls_connection_deinit	call site: 01736	/src/hostap/src/crypto/tls_internal.c:159
216	216	1 : View List ['tlsv1_server_encrypt']	216	268	tls_connection_encrypt	call site: 01653	/src/hostap/src/crypto/tls_internal.c:558
143	143	2 : View List ['free', 'tlsv1_server_init']	143	143	tls_connection_init	call site: 00112	/src/hostap/src/crypto/tls_internal.c:115
82	82	2 : View List ['x509_certificate_self_signed', 'x509_certificate_get_subject']	82	82	tls_client_cert_chain_der_len	call site: 01478	/src/hostap/src/tls/tlsv1_client_write.c:29
39	39	1 : View List ['mp_reduce_2k_setup_l']	39	392	s_mp_exptmod	call site: 00929	/src/hostap/src/tls/./libtommath.c:1928
18	18	2 : View List ['wpa_debug_print_timestamp', '__ctype_b_loc']	18	18	_wpa_hexdump_ascii	call site: 00570	/src/hostap/src/utils/wpa_debug.c:423
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00132	/src/hostap/src/utils/wpa_debug.c:281
12	80	3 : View List ['free', 'x509_certificate_chain_free', 'crypto_private_key_free']	12	80	tlsv1_cred_free	call site: 01743	/src/hostap/src/tls/tlsv1_cred.c:31
4	4	1 : View List ['realloc']	4	4	wpabuf_resize	call site: 00220	/src/hostap/src/utils/wpabuf.c:69

Runtime coverage analysis

Covered functions

295

Functions that are reachable but not covered

88

Reachable functions

379

Percentage of reachable functions covered

76.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/tls-client/tls-client.c	2
tests/fuzzing/tls-client/../fuzzer-common.c	1
src/crypto/tls_internal.c	11
src/tls/tlsv1_client.c	14
src/crypto/crypto_internal.c	5
src/tls/tlsv1_server.c	11
src/utils/os_unix.c	7
src/tls/tlsv1_common.c	13
src/crypto/md5-internal.c	5
src/utils/common.c	4
src/crypto/sha1-internal.c	5
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/sha384-internal.c	4
src/crypto/sha512-internal.c	5
src/utils/wpa_debug.c	7
src/crypto/../utils/wpabuf.h	4
src/tls/tlsv1_client_write.c	13
src/tls/../utils/common.h	5
src/tls/tlsv1_record.c	5
src/crypto/crypto_internal-cipher.c	4
src/crypto/rc4.c	1
src/crypto/aes-internal-enc.c	4
src/crypto/./aes_i.h	1
src/crypto/des-internal.c	9
src/utils/wpabuf.c	7
src/tls/../utils/wpabuf.h	4
src/utils/./wpabuf.h	4
src/crypto/aes-internal-dec.c	5
src/tls/tlsv1_client_read.c	17
src/crypto/sha256-tlsprf.c	1
src/crypto/sha256.c	2
src/crypto/sha1-tlsprf.c	1
src/crypto/md5.c	2
src/crypto/sha1.c	2
src/tls/tlsv1_client_ocsp.c	7
src/tls/asn1.c	10
src/tls/./asn1.h	13
src/tls/../utils/os.h	1
src/tls/x509v3.c	59
src/crypto/crypto_internal-rsa.c	7
src/tls/rsa.c	5
src/tls/bignum.c	11
src/tls/./libtommath.c	41
src/tls/pkcs1.c	3
src/crypto/aes-internal.c	1
src/crypto/crypto_internal-modexp.c	1
tests/fuzzing/tls-client/../../../src/utils/common.h	1
tests/fuzzing/tls-client/../../../src/utils/wpabuf.h	4
tests/fuzzing/tls-client/../../../src/utils/wpa_debug.h	1
src/tls/tlsv1_cred.c	1

Fuzzer: eapol-key-supp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1581	77.9%
gold	[1:9]	20	0.98%
yellow	[10:29]	16	0.78%
greenyellow	[30:49]	3	0.14%
lawngreen	50+	409	20.1%
All colors	2029	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2201	2201	1 : View List ['wpa_sm_rx_eapol_wpa']	2201	2207	wpa_sm_rx_eapol	call site: 01072	/src/hostap/src/rsn_supp/wpa.c:3985
1510	2302	3 : View List ['wpa_supplicant_key_neg_complete', 'wpa_ft_prepare_auth_request', 'eapol_sm_notify_portValid']	1510	2614	wpa_sm_notify_assoc	call site: 00839	/src/hostap/src/rsn_supp/wpa.c:4487
1040	1040	1 : View List ['rsn_preauth_deinit']	2550	3660	wpa_sm_notify_assoc	call site: 00229	/src/hostap/src/rsn_supp/wpa.c:4483
844	844	2 : View List ['eap_notify_lower_layer_success', 'eapol_sm_step']	844	844	eapol_sm_notify_lower_layer_success	call site: 01063	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1836
789	789	1 : View List ['eapol_sm_step']	789	789	eapol_sm_notify_portValid	call site: 00825	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1488
532	532	1 : View List ['wpa_supplicant_process_mlo_1_of_2']	532	538	wpa_sm_rx_eapol	call site: 01896	/src/hostap/src/rsn_supp/wpa.c:4128
246	246	1 : View List ['wpa_derive_ptk_ft']	246	246	wpa_derive_ptk	call site: 01442	/src/hostap/src/rsn_supp/wpa.c:724
152	152	1 : View List ['wpa_supplicant_pairwise_mlo_gtk']	1698	1790	wpa_supplicant_process_3_of_4	call site: 01792	/src/hostap/src/rsn_supp/wpa.c:2946
67	67	1 : View List ['wpa_sm_set_ap_wpa_ie']	67	67	supp_get_beacon_ie	call site: 00000	/src/hostap/tests/fuzzing/eapol-key-supp/eapol-key-supp.c:169
54	54	1 : View List ['wpa_insert_pmkid']	54	491	wpa_supplicant_send_2_of_4	call site: 01554	/src/hostap/src/rsn_supp/wpa.c:545
52	52	1 : View List ['wpa_gen_wpa_ie_wpa']	52	52	wpa_gen_wpa_ie	call site: 00181	/src/hostap/tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c:287
50	50	1 : View List ['wpa_supplicant_activate_ptk']	1897	2871	wpa_supplicant_process_3_of_4	call site: 01781	/src/hostap/src/rsn_supp/wpa.c:2929

Runtime coverage analysis

Covered functions

165

Functions that are reachable but not covered

334

Reachable functions

490

Percentage of reachable functions covered

31.84%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eapol-key-supp/eapol-key-supp.c	6
tests/fuzzing/eapol-key-supp/../fuzzer-common.c	1
src/utils/os_unix.c	9
src/utils/eloop.c	18
src/utils/./list.h	5
src/utils/wpa_debug.c	8
src/rsn_supp/wpa.c	76
src/rsn_supp/../utils/list.h	3
src/rsn_supp/pmksa_cache.c	12
src/utils/./os.h	4
src/utils/common.c	4
src/rsn_supp/./wpa_i.h	21
src/rsn_supp/../common/defs.h	8
src/rsn_supp/../common/wpa_common.h	3
src/common/wpa_common.c	32
src/common/./defs.h	7
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/rsn_supp/../utils/common.h	8
src/eapol_supp/eapol_supp_sm.c	50
src/rsn_supp/wpa_ie.c	5
src/rsn_supp/preauth.c	6
src/utils/wpabuf.c	6
src/eap_peer/eap.c	62
src/eapol_supp/../utils/wpabuf.h	2
src/eap_peer/../utils/wpabuf.h	7
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/eap_peer/../utils/common.h	4
src/utils/./wpabuf.h	5
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	6
src/eap_common/../utils/common.h	4
src/eap_peer/eap_methods.c	2
src/crypto/tls_internal.c	2
src/tls/tlsv1_client.c	2
src/crypto/crypto_internal.c	2
src/tls/tlsv1_server.c	2
src/tls/tlsv1_cred.c	1
src/tls/x509v3.c	3
src/crypto/crypto_internal-rsa.c	1
src/tls/rsa.c	1
src/tls/bignum.c	1
src/tls/./libtommath.c	1
src/l2_packet/l2_packet_linux.c	3
src/l2_packet/../utils/common.h	2
src/eap_peer/../utils/list.h	1
src/rsn_supp/wpa_ft.c	6
src/common/ieee802_11_common.c	4
src/common/../utils/wpabuf.h	2
src/crypto/aes-omac1.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/rsn_supp/tdls.c	21
src/rsn_supp/../rsn_supp/wpa_i.h	4
tests/fuzzing/eapol-key-supp/../../../src/utils/common.h	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/common/../utils/common.h	5
src/common/../utils/os.h	1
src/crypto/sha256-prf.c	2
src/crypto/sha1-prf.c	1
src/crypto/rc4.c	1
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5

Fuzzer: ap-mgmt

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3744	94.7%
gold	[1:9]	1	0.02%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	207	5.23%
All colors	3952	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
30431	30431	12 : View List ['handle_disassoc', 'handle_action', 'wpa_msg', 'handle_auth', 'handle_probe_req', 'sta_track_add', 'ether_addr_equal.1387', 'is_broadcast_ether_addr.1471', 'hostapd_logger', 'handle_assoc', 'notify_mgmt_frame', 'handle_deauth']	30431	30431	ieee802_11_mgmt	call site: 02911	/src/hostap/src/ap/ieee802_11.c:6626
4804	4804	1 : View List ['hostapd_prune_associations']	4804	4804	ap_sta_set_authorized_flag	call site: 00538	/src/hostap/src/ap/sta_info.c:1542
59	59	2 : View List ['hostapd_drv_sta_remove.2537', 'vlan_remove_dynamic']	65	110	ap_free_sta	call site: 00537	/src/hostap/src/ap/sta_info.c:374
56	56	1 : View List ['radius_client_flush_auth']	180	225	ap_free_sta	call site: 00537	/src/hostap/src/ap/sta_info.c:362
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00783	/src/hostap/src/utils/wpa_debug.c:281
2	2	1 : View List ['alarm']	2	2	eloop_process_pending_signals	call site: 03877	/src/hostap/tests/fuzzing/pasn-resp/../../../src/utils/eloop.c:1007
2	2	1 : View List ['clock_gettime']	2	2	os_get_reltime	call site: 00050	/src/hostap/src/utils/os_unix.c:94
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	1275	1 : View List ['ieee802_11_update_beacons']	180	13960	ap_free_sta	call site: 00537	/src/hostap/src/ap/sta_info.c:329
0	28	1 : View List ['wpa_hexdump']	0	28	__ieee802_11_parse_elems	call site: 02588	/src/hostap/src/common/ieee802_11_common.c:699
0	4	2 : View List ['free', 'wpabuf_free']	750	754	ieee802_1x_free_station	call site: 00973	/src/hostap/src/ap/ieee802_1x.c:1494
0	0	None	1594	6398	hostapd_free_stas	call site: 03901	/src/hostap/src/ap/sta_info.c:491

Runtime coverage analysis

Covered functions

106

Functions that are reachable but not covered

880

Reachable functions

986

Percentage of reachable functions covered

10.75%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/ap-mgmt/ap-mgmt.c	4
tests/fuzzing/ap-mgmt/../fuzzer-common.c	1
src/utils/os_unix.c	11
src/utils/eloop.c	21
src/utils/./list.h	5
src/utils/wpa_debug.c	11
src/ap/ap_config.c	19
src/ap/../utils/os.h	6
src/ap/../utils/list.h	6
src/ap/./ap_config.h	4
src/ap/sta_info.c	44
src/ap/accounting.c	7
src/radius/radius.c	28
src/utils/./os.h	4
src/utils/common.c	13
src/radius/radius_client.c	20
src/utils/wpabuf.c	7
src/radius/../utils/os.h	2
src/utils/./wpabuf.h	5
src/ap/../radius/radius.h	1
src/radius/../utils/wpabuf.h	8
src/ap/ieee802_1x.c	12
src/ap/../utils/common.h	14
src/ap/../common/defs.h	11
src/ap/wpa_auth.c	103
src/common/wpa_common.c	42
src/ap/../utils/wpabuf.h	9
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
src/ap/./ap_drv_ops.h	6
src/utils/ip_addr.c	1
src/crypto/md5-internal.c	5
src/utils/../utils/os.h	2
src/radius/../utils/common.h	3
src/crypto/md5.c	2
src/ap/utils.c	2
src/ap/ap_drv_ops.c	20
src/eapol_auth/eapol_auth_sm.c	36
src/eap_server/eap_server_methods.c	2
src/eapol_auth/../utils/wpabuf.h	2
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	5
src/eap_server/eap_server.c	54
src/eap_server/../utils/wpabuf.h	4
src/eap_server/../utils/common.h	2
src/eap_common/../utils/common.h	2
src/ap/ap_mlme.c	5
src/crypto/sha1-prf.c	1
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/ap/./wpa_auth.h	1
src/common/./defs.h	7
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/aes-wrap.c	1
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/crypto/rc4.c	1
src/crypto/aes-omac1.c	4
src/ap/wpa_auth_ie.c	10
src/common/ieee802_11_common.c	31
src/crypto/sha256-prf.c	2
src/ap/wpa_auth_ft.c	68
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
src/common/../utils/common.h	7
src/common/../utils/os.h	1
src/crypto/aes-siv.c	6
src/crypto/aes-ctr.c	1
src/ap/ndisc_snoop.c	1
src/ap/ieee802_11_ht.c	14
src/ap/beacon.c	45
src/ap/hostapd.c	3
src/ap/ieee802_11.c	60
src/ap/./ieee802_11.h	3
src/ap/ieee802_11_shared.c	27
src/ap/dfs.c	4
src/ap/wmm.c	10
src/ap/hs20.c	1
src/crypto/sha1-pbkdf2.c	2
src/wps/wps.c	2
src/wps/../utils/wpabuf.h	8
src/wps/../utils/common.h	5
src/wps/wps_attr_build.c	3
src/common/hw_features_common.c	7
src/common/./ieee802_11_common.h	1
src/common/../utils/wpabuf.h	3
src/ap/wps_hostapd.c	2
src/ap/./preauth_auth.h	1
src/ap/vlan_init.c	4
src/ap/gas_serv.c	1
src/ap/ieee802_11_auth.c	7
src/ap/./mbo_ap.h	1
tests/fuzzing/ap-mgmt/../../../src/utils/common.h	1
src/ap/ap_list.c	11
src/ap/hw_features.c	2
src/ap/vlan.c	1
src/ap/vlan_ifconfig.c	3
src/ap/./sta_info.h	2
src/wps/wps_attr_parse.c	5
src/wps/../utils/wpa_debug.h	1
src/ap/../wps/wps.h	1
src/ap/pmksa_cache_auth.c	8
src/ap/../common/wpa_common.h	2
src/common/ptksa_cache.c	4
src/common/../utils/list.h	2
src/ap/rrm.c	14

Fuzzer: wnm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	6218	96.9%
gold	[1:9]	10	0.15%
yellow	[10:29]	22	0.34%
greenyellow	[30:49]	1	0.01%
lawngreen	50+	165	2.57%
All colors	6416	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
938	942	9 : View List ['filter_scan_res', 'scan_snr', 'wpa_bss_update_start', 'qsort', 'wpa_bss_update_scan_res', 'scan_est_throughput', 'wpa_bss_update_end', 'dump_scan_res', 'os_get_reltime']	938	985	wpa_supplicant_get_scan_results	call site: 00550	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/scan.c:3191
18	18	1 : View List ['ieee80211_chan_to_freq_us']	53	96	ieee80211_chan_to_freq	call site: 00524	/src/hostap/src/common/ieee802_11_common.c:2028
15	15	1 : View List ['ieee80211_chan_to_freq_eu']	35	73	ieee80211_chan_to_freq	call site: 00526	/src/hostap/src/common/ieee802_11_common.c:2034
14	14	1 : View List ['ieee80211_chan_to_freq_jp']	20	53	ieee80211_chan_to_freq	call site: 00528	/src/hostap/src/common/ieee802_11_common.c:2040
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00035	/src/hostap/src/utils/wpa_debug.c:281
8	8	4 : View List ['free', 'chan_supported', 'add_freq', 'os_calloc.3263']	8	8	wnm_set_scan_freqs	call site: 06372	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.c:1234
6	6	1 : View List ['ieee80211_chan_to_freq_cn']	6	34	ieee80211_chan_to_freq	call site: 00530	/src/hostap/src/common/ieee802_11_common.c:2046
4	4	1 : View List ['wpa_scan_results_free']	4	4	wpa_supplicant_update_scan_results	call site: 00549	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/scan.c:3263
2	2	1 : View List ['alarm']	2	2	eloop_process_pending_signals	call site: 06382	/src/hostap/tests/fuzzing/pasn-resp/../../../src/utils/eloop.c:1007
2	2	1 : View List ['clock_gettime']	2	2	os_get_reltime	call site: 00027	/src/hostap/src/utils/os_unix.c:94
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/sae/../fuzzer-common.c:23
0	0	None	11701	13698	wnm_scan_process	call site: 00786	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.c:1014

Runtime coverage analysis

Covered functions

87

Functions that are reachable but not covered

1288

Reachable functions

1375

Percentage of reachable functions covered

6.33%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/wnm/wnm.c	4
tests/fuzzing/wnm/../fuzzer-common.c	1
src/utils/os_unix.c	12
src/utils/eloop.c	21
src/utils/./list.h	5
src/utils/wpa_debug.c	9
tests/fuzzing/wnm/../../../wpa_supplicant/bss.c	45
tests/fuzzing/wnm/../../../src/utils/list.h	6
src/utils/./os.h	4
tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.c	33
tests/fuzzing/wnm/../../../src/utils/common.h	14
src/rsn_supp/wpa.c	91
src/common/wpa_common.c	39
src/common/../utils/common.h	6
src/utils/common.c	20
src/utils/wpabuf.c	7
tests/fuzzing/wnm/../../../wpa_supplicant/notify.c	41
tests/fuzzing/wnm/../../../wpa_supplicant/dbus/dbus_new.h	13
tests/fuzzing/wnm/../../../src/utils/wpabuf.h	12
src/utils/./wpabuf.h	5
tests/fuzzing/wnm/../../../src/utils/os.h	9
tests/fuzzing/wnm/../../../wpa_supplicant/events.c	95
tests/fuzzing/wnm/../../../wpa_supplicant/bss.h	4
tests/fuzzing/wnm/../../../wpa_supplicant/wpa_supplicant.c	105
src/common/ieee802_11_common.c	42
tests/fuzzing/wnm/../../../wpa_supplicant/bssid_ignore.c	6
tests/fuzzing/wnm/../../../wpa_supplicant/scan.c	61
tests/fuzzing/wnm/../../../src/common/defs.h	9
tests/fuzzing/wnm/../../../wpa_supplicant/wps_supplicant.h	10
src/rsn_supp/wpa_ie.c	6
src/rsn_supp/../utils/common.h	9
tests/fuzzing/wnm/../../../src/drivers/driver_common.c	6
src/common/./ieee802_11_common.h	1
src/common/../utils/wpabuf.h	8
tests/fuzzing/wnm/../../../src/utils/wpa_debug.h	1
src/eap_peer/eap.c	64
tests/fuzzing/wnm/../../../wpa_supplicant/wpa_supplicant_i.h	3
tests/fuzzing/wnm/../../../wpa_supplicant/driver_i.h	32
tests/fuzzing/wnm/../../../wpa_supplicant/p2p_supplicant.h	15
tests/fuzzing/wnm/../../../wpa_supplicant/sme.h	12
tests/fuzzing/wnm/../../../wpa_supplicant/autoscan.h	3
tests/fuzzing/wnm/../../../wpa_supplicant/wmm_ac.c	24
src/eapol_supp/eapol_supp_sm.c	55
src/eapol_supp/../utils/wpabuf.h	2
src/eap_peer/../utils/wpabuf.h	7
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/crypto/sha1-internal.c	5
src/eap_peer/../utils/common.h	4
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	6
src/eap_common/../utils/common.h	4
src/eap_peer/eap_methods.c	3
tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.h	1
tests/fuzzing/wnm/../../../wpa_supplicant/wpas_glue.c	5
src/rsn_supp/preauth.c	10
src/rsn_supp/../utils/list.h	4
src/rsn_supp/pmksa_cache.c	16
src/rsn_supp/../common/defs.h	9
src/rsn_supp/../common/wpa_common.h	3
src/common/./defs.h	7
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/sha1.c	2
src/rsn_supp/./wpa_i.h	20
src/l2_packet/l2_packet_linux.c	9
src/l2_packet/../utils/common.h	2
src/eap_peer/../utils/list.h	1
src/crypto/tls_internal.c	2
src/tls/tlsv1_client.c	2
src/crypto/crypto_internal.c	2
src/tls/tlsv1_server.c	2
src/tls/tlsv1_cred.c	1
src/tls/x509v3.c	3
src/crypto/crypto_internal-rsa.c	1
src/tls/rsa.c	1
src/tls/bignum.c	1
src/tls/./libtommath.c	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/crypto/aes-omac1.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/rsn_supp/tdls.c	22
src/rsn_supp/../rsn_supp/wpa_i.h	4
tests/fuzzing/wnm/../../../wpa_supplicant/rrm.c	30
tests/fuzzing/wnm/../../../wpa_supplicant/hs20_supplicant.c	9
src/utils/bitfield.c	4
tests/fuzzing/wnm/../../../wpa_supplicant/robust_av.c	22
src/common/ptksa_cache.c	4
src/common/../utils/list.h	2
src/crypto/sha1-pbkdf2.c	2
tests/fuzzing/wnm/../../../wpa_supplicant/op_classes.c	11
tests/fuzzing/wnm/../../../wpa_supplicant/config.c	13
src/utils/../utils/os.h	2
src/common/hw_features_common.c	9
tests/fuzzing/wnm/../../../src/rsn_supp/wpa.h	2
tests/fuzzing/wnm/../../../wpa_supplicant/bgscan.h	3
src/utils/crc32.c	1
tests/fuzzing/wnm/../../../wpa_supplicant/interworking.c	60
src/common/gas.c	8
tests/fuzzing/wnm/../../../wpa_supplicant/gas_query.c	22
tests/fuzzing/wnm/../../../wpa_supplicant/offchannel.c	5
src/common/../utils/os.h	1
src/rsn_supp/wpa_ft.c	6
src/crypto/sha256-prf.c	2
src/crypto/sha1-prf.c	1
src/crypto/rc4.c	1
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
tests/fuzzing/wnm/../../../wpa_supplicant/mesh_mpm.h	2
tests/fuzzing/wnm/../../../wpa_supplicant/config_file.c	19
src/utils/base64.c	2

Fuzzer: eapol-key-auth

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1111	70.1%
gold	[1:9]	4	0.25%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	469	29.6%
All colors	1584	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
90	90	2 : View List ['sm_WPA_PTK_GROUP_KEYERROR_Enter', 'sm_WPA_PTK_GROUP_REKEYESTABLISHED_Enter']	1673	1673	sm_WPA_PTK_GROUP_Step	call site: 00218	/src/hostap/src/ap/wpa_auth.c:5623
73	73	1 : View List ['wpa_parse_wpa_ie_wpa']	262	400	wpa_validate_wpa_ie	call site: 01137	/src/hostap/src/ap/wpa_auth_ie.c:854
65	112	3 : View List ['eloop_register_timeout', 'eloop_deplete_timeout', 'wpa_auth_logger']	65	1244	wpa_auth_sta_deinit	call site: 01298	/src/hostap/src/ap/wpa_auth.c:1150
54	54	1 : View List ['wpa_insert_pmkid']	81	1744	sm_WPA_PTK_PTKINITNEGOTIATING_Enter	call site: 00931	/src/hostap/src/ap/wpa_auth.c:4980
52	52	1 : View List ['wpa_write_wpa_ie']	226	254	wpa_auth_gen_wpa_ie	call site: 00064	/src/hostap/src/ap/wpa_auth_ie.c:659
47	47	1 : View List ['sm_WPA_PTK_INITPMK_Enter']	47	47	sm_WPA_PTK_Step	call site: 00487	/src/hostap/src/ap/wpa_auth.c:5304
36	36	1 : View List ['sha256_prf']	36	288	wpa_pmk_to_ptk	call site: 00629	/src/hostap/src/common/wpa_common.c:513
28	28	1 : View List ['wpa_group_free']	28	28	wpa_group_put	call site: 00384	/src/hostap/src/ap/wpa_auth.c:6837
27	27	2 : View List ['WPA_PUT_LE32.3008', 'wpa_write_ftie']	27	1640	sm_WPA_PTK_PTKINITNEGOTIATING_Enter	call site: 00948	/src/hostap/src/ap/wpa_auth.c:5012
14	14	1 : View List ['wpa_debug_print_timestamp']	14	14	_wpa_hexdump	call site: 00095	/src/hostap/src/utils/wpa_debug.c:281
5	20	3 : View List ['wpa_cipher_valid_mgmt_group', 'rsn_selector_to_bitfield', 'WPA_GET_BE32.719']	5	48	wpa_parse_wpa_ie_rsn	call site: 00786	/src/hostap/src/common/wpa_common.c:2008
3	3	1 : View List ['wpa_write_mdie']	229	257	wpa_auth_gen_wpa_ie	call site: 00063	/src/hostap/src/ap/wpa_auth_ie.c:651

Runtime coverage analysis

Covered functions

204

Functions that are reachable but not covered

208

Reachable functions

392

Percentage of reachable functions covered

46.94%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eapol-key-auth/eapol-key-auth.c	4
tests/fuzzing/eapol-key-auth/../fuzzer-common.c	1
src/utils/os_unix.c	8
src/utils/eloop.c	12
src/utils/./list.h	5
src/utils/wpa_debug.c	8
src/ap/wpa_auth.c	95
src/ap/wpa_auth_ie.c	13
src/ap/../utils/common.h	7
src/common/wpa_common.c	41
src/common/../utils/common.h	5
src/ap/../common/defs.h	11
src/ap/wpa_auth_ft.c	62
src/utils/common.c	5
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
src/crypto/sha1-prf.c	1
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/ap/./wpa_auth.h	1
src/common/./defs.h	7
src/crypto/aes-wrap.c	1
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/crypto/rc4.c	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/crypto/aes-omac1.c	4
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/utils/./os.h	3
src/utils/wpabuf.c	7
src/common/ieee802_11_common.c	10
src/crypto/sha256-prf.c	2
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
src/common/../utils/os.h	1
src/ap/../utils/list.h	4
src/crypto/aes-siv.c	6
src/crypto/aes-ctr.c	1
src/ap/pmksa_cache_auth.c	10
src/radius/radius.c	2
src/ap/../common/wpa_common.h	2
src/utils/./wpabuf.h	5
src/radius/../utils/os.h	1
src/ap/../utils/wpabuf.h	2
src/common/./ieee802_11_common.h	1
src/common/../utils/wpabuf.h	3