Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_acse_parse

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 5 13.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 31 86.1%
All colors 36 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
3 23 parseAarqPdu call site: 00023 checkAuthMechanismName
1 4 Memory_calloc call site: 00004 noMemoryAvailableHandler
1 6 ByteBuffer_create call site: 00006 Memory_free

Runtime coverage analysis

Covered functions
18
Functions that are reachable but not covered
5
Reachable functions
23
Percentage of reachable functions covered
78.26%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
build/../fuzz/fuzz_acse_parse.c 1
src/mms/iso_acse/acse.c 8
src/common/byte_buffer.c 3
hal/memory/lib_memory.c 3
src/mms/asn1/ber_decode.c 6

Fuzzer: fuzz_pres_userdata

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 20 100.%
All colors 20 100

Runtime coverage analysis

Covered functions
10
Functions that are reachable but not covered
1
Reachable functions
11
Percentage of reachable functions covered
90.91%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
build/../fuzz/fuzz_pres_userdata.c 1
src/mms/iso_presentation/iso_presentation.c 5
src/mms/asn1/ber_decode.c 4

Fuzzer: fuzz_mms_print

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 174 100.%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 0 0.0%
All colors 174 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
173 0 EP call site: 00000 MmsValue_decodeMmsData

Runtime coverage analysis

Covered functions
0
Functions that are reachable but not covered
82
Reachable functions
82
Percentage of reachable functions covered
0.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
build/../fuzz/fuzz_mms_print.c 1
src/mms/iso_mms/server/mms_access_result.c 7
src/mms/asn1/ber_decode.c 7
src/mms/iso_mms/common/mms_value.c 32
hal/memory/lib_memory.c 4
src/mms/asn1/ber_integer.c 4
src/mms/asn1/asn1_ber_primitive_value.c 2
src/common/string_utilities.c 2
src/mms/asn1/ber_encoder.c 15
src/common/conversions.c 3

Fuzzer: fuzz_mms_encode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 134 100.%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 0 0.0%
All colors 134 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
133 0 EP call site: 00000 MmsValue_decodeMmsData

Runtime coverage analysis

Covered functions
0
Functions that are reachable but not covered
61
Reachable functions
61
Percentage of reachable functions covered
0.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
build/../fuzz/fuzz_mms_encode.c 1
src/mms/iso_mms/server/mms_access_result.c 7
src/mms/asn1/ber_decode.c 7
src/mms/iso_mms/common/mms_value.c 20
hal/memory/lib_memory.c 4
src/mms/asn1/ber_integer.c 2
src/mms/asn1/asn1_ber_primitive_value.c 2
src/common/string_utilities.c 1
src/mms/asn1/ber_encoder.c 15

Fuzzer: fuzz_goose_subscriber

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 58 29.2%
gold [1:9] 2 1.01%
yellow [10:29] 1 0.50%
greenyellow [30:49] 1 0.50%
lawngreen 50+ 136 68.6%
All colors 198 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
30 163 parseAllDataUnknownValue call site: 00163 parseAllData
5 11 GooseReceiver_destroy call site: 00011 GooseReceiver_stop
4 64 Ethernet_setMode call site: 00064 Ethernet_createSocket
3 57 getInterfaceIndex call site: 00057 Ethernet_destroySocket
1 4 Memory_calloc call site: 00004 noMemoryAvailableHandler
1 7 LinkedList_create call site: 00007 noMemoryAvailableHandler
1 9 GooseReceiver_create call site: 00009 GooseReceiver_destroy
1 35 GooseSubscriber_create call site: 00035 Memory_malloc
1 52 Ethernet_createSocket call site: 00052 Memory_free
1 70 Ethernet_setProtocolFilter call site: 00070 htons
1 74 GooseReceiver_startThreadless call site: 00074 Ethernet_setMode
1 101 parseGoosePayload call site: 00101 MmsValue_delete

Runtime coverage analysis

Covered functions
64
Functions that are reachable but not covered
24
Reachable functions
88
Percentage of reachable functions covered
72.73%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
build/../fuzz/fuzz_goose_subscriber.c 2
src/goose/goose_receiver.c 13
hal/memory/lib_memory.c 4
src/common/linked_list.c 6
hal/thread/linux/thread_linux.c 1
src/goose/goose_subscriber.c 5
src/mms/iso_mms/common/mms_value.c 24
src/mms/asn1/asn1_ber_primitive_value.c 2
src/common/string_utilities.c 2
hal/ethernet/linux/ethernet_linux.c 6
src/mms/asn1/ber_decode.c 7
src/common/conversions.c 1
src/mms/asn1/ber_integer.c 2
hal/time/unix/time.c 1

Fuzzer: fuzz_mms_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 9 10.9%
gold [1:9] 1 1.21%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 72 87.8%
All colors 82 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1 12 Memory_calloc call site: 00012 noMemoryAvailableHandler
1 14 MmsValue_createEmptyArray call site: 00014 Memory_free
1 30 MmsValue_newBitString call site: 00030 Memory_free
1 36 Asn1PrimitiveValue_create call site: 00036 noMemoryAvailableHandler
1 38 Asn1PrimitiveValue_create call site: 00038 Memory_free
1 41 BerInteger_createInt64 call site: 00041 Memory_free
1 46 MmsValue_newUnsigned call site: 00046 Memory_free
1 56 MmsValue_newOctetString call site: 00056 Memory_free
1 62 StringUtils_createStringFromBuffer call site: 00062 Memory_free

Runtime coverage analysis

Covered functions
38
Functions that are reachable but not covered
2
Reachable functions
40
Percentage of reachable functions covered
95.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
build/../fuzz/fuzz_mms_decode.c 1
src/mms/iso_mms/server/mms_access_result.c 4
src/mms/asn1/ber_decode.c 7
src/mms/iso_mms/common/mms_value.c 18
hal/memory/lib_memory.c 4
src/mms/asn1/ber_integer.c 2
src/mms/asn1/asn1_ber_primitive_value.c 2
src/common/string_utilities.c 1

Fuzzer: fuzz_mms_server_decode_mms_pdu

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4228 75.0%
gold [1:9] 36 0.63%
yellow [10:29] 990 17.5%
greenyellow [30:49] 83 1.47%
lawngreen 50+ 299 5.30%
All colors 5636 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
752 3481 mmsServer_handleStatusRequest call site: 03481 mmsServer_handleWriteRequest
307 3163 handleConfirmedRequestPdu call site: 03163 mmsServer_handleObtainFileRequest
254 2319 MmsServer_getValueFromCache call site: 02319 updateGenericTrackingObjectValues
247 2059 searchCacheForValue call site: 02059 Reporting_RCBWriteAccessHandler
221 4861 mmsIsoCallback call site: 04861 handleAsyncResponse
172 1859 IsoConnection_unlock call site: 01859 writeAccessGooseControlBlock
153 4556 Control_processControlActions call site: 04556 executeControlTask
141 1230 MmsMapping_installHandlers call site: 01230 Control_readAccessControlObject
109 5211 createNewConnectionObject call site: 05211 iedConnection_handleReport
96 843 createNamedVariableFromLogicalNode call site: 00843 checkForServiceTrackingVariables
66 1459 ReportControl_lockNotify call site: 01459 processEventsForReport
65 577 MmsVariableSpecification_getChildValue call site: 00577 Reporting_createMmsBufferedRCBs

Runtime coverage analysis

Covered functions
458
Functions that are reachable but not covered
660
Reachable functions
1115
Percentage of reachable functions covered
40.81%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
build/../fuzz/fuzz_mms_server_decode_mms_pdu.c 2
src/iec61850/server/model/dynamic_model.c 25
hal/memory/lib_memory.c 4
src/common/string_utilities.c 21
src/iec61850/server/model/cdc.c 11
src/iec61850/server/model/model.c 17
src/iec61850/server/impl/ied_server.c 24
hal/thread/linux/thread_linux.c 9
src/iec61850/server/mms_mapping/mms_mapping.c 81
src/common/linked_list.c 12
src/mms/iso_mms/server/mms_device.c 5
src/mms/iso_mms/server/mms_domain.c 11
src/mms/iso_mms/server/mms_journal.c 2
src/iec61850/server/mms_mapping/logging.c 27
src/iec61850/common/iec61850_common.c 6
src/iec61850/server/mms_mapping/reporting.c 58
src/mms/iso_mms/common/mms_value.c 80
src/mms/asn1/ber_integer.c 13
src/mms/asn1/asn1_ber_primitive_value.c 5
src/mms/asn1/ber_encoder.c 18
hal/time/unix/time.c 2
src/mms/iso_mms/common/mms_type_spec.c 6
src/iec61850/server/mms_mapping/mms_goose.c 26
src/iec61850/server/mms_mapping/mms_sv.c 12
src/mms/iso_mms/server/mms_named_variable_list.c 11
src/goose/goose_publisher.c 13
hal/ethernet/linux/ethernet_linux.c 6
src/iec61850/server/mms_mapping/control.c 54
src/mms/iso_mms/server/mms_server.c 43
src/mms/iso_server/iso_server.c 26
src/common/map.c 5
src/mms/iso_mms/server/mms_value_cache.c 10
src/common/string_map.c 1
src/common/byte_buffer.c 8
hal/socket/linux/socket_linux.c 25
src/mms/iso_server/iso_connection.c 16
src/mms/iso_mms/server/mms_server_connection.c 22
hal/filesystem/linux/file_provider_linux.c 9
src/mms/iso_mms/server/mms_file_service.c 26
src/common/conversions.c 5
src/mms/iso_mms/server/mms_access_result.c 9
src/common/simple_allocator.c 1
src/logging/log_storage.c 5
src/iec61850/server/impl/client_connection.c 7
src/mms/iso_mms/server/mms_information_report.c 2
src/mms/iso_presentation/iso_presentation.c 15
src/mms/iso_session/iso_session.c 15
src/mms/iso_cotp/cotp.c 29
src/mms/iso_mms/server/mms_server_common.c 14
src/mms/asn1/ber_decode.c 9
src/mms/iso_mms/server/mms_association_service.c 6
src/mms/iso_mms/common/mms_common_msg.c 8
src/mms/iso_mms/client/mms_client_files.c 16
src/mms/iso_mms/server/mms_journal_service.c 4
src/mms/iso_mms/server/mms_status_service.c 1
src/mms/iso_mms/server/mms_get_namelist_service.c 12
src/mms/iso_mms/server/mms_identify_service.c 4
src/mms/iso_mms/server/mms_read_service.c 17
src/mms/iso_mms/asn1c/ber_decoder.c 1
src/mms/iso_mms/asn1c/INTEGER.c 2
src/mms/iso_mms/server/mms_named_variable_list_service.c 10
src/mms/iso_mms/server/mms_write_service.c 6
src/mms/iso_mms/server/mms_get_var_access_service.c 5
src/mms/iso_mms/asn1c/der_encoder.c 1
src/mms/iso_mms/asn1c/asn_internal.h 1
src/mms/iso_mms/client/mms_client_common.c 3
src/mms/iso_mms/client/mms_client_connection.c 31
src/mms/iso_acse/acse.c 12
src/common/buffer_chain.c 1
src/iec61850/client/ied_connection.c 17
src/mms/iso_common/iso_connection_parameters.c 7
src/mms/iso_client/iso_client_connection.c 16
src/mms/iso_mms/client/mms_client_read.c 2
src/mms/iso_mms/client/mms_client_write.c 3
src/mms/iso_mms/client/mms_client_named_variable_list.c 4
src/mms/iso_mms/client/mms_client_get_var_access.c 2
src/mms/iso_mms/client/mms_client_status.c 1
src/mms/iso_mms/client/mms_client_identify.c 1
src/mms/iso_mms/client/mms_client_journals.c 7
src/mms/iso_mms/client/mms_client_get_namelist.c 1
src/mms/iso_mms/client/mms_client_initiate.c 3
src/iec61850/client/client_report.c 2
src/iec61850/client/client_control.c 4

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
OCTET_STRING_decode_ber /src/libiec61850/src/mms/iso_mms/asn1c/OCTET_STRING.c 6 ['N/A', 'N/A', 'N/A', 'N/A', 'size_t', 'int'] 3 0 2599 462 106 12 0 206 196
ControlObjectClient_create /src/libiec61850/src/iec61850/client/client_control.c 2 ['N/A', 'N/A'] 12 0 71 11 5 112 0 478 132
OCTET_STRING_decode_xer_utf8 /src/libiec61850/src/mms/iso_mms/asn1c/OCTET_STRING.c 6 ['N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'size_t'] 4 0 38 3 2 19 0 151 132
GeneralizedTime_encode_der /src/libiec61850/src/mms/iso_mms/asn1c/GeneralizedTime.c 7 ['N/A', 'N/A', 'N/A', 'int', 'int', 'N/A', 'N/A'] 4 0 116 16 5 13 0 131 121
IedConnection_getLogicalNodeDirectory /src/libiec61850/src/iec61850/client/ied_connection.c 4 ['N/A', 'N/A', 'N/A', 'int'] 12 0 394 64 21 85 0 318 98
SEQUENCE_decode_ber /src/libiec61850/src/mms/iso_mms/asn1c/constr_SEQUENCE.c 6 ['N/A', 'N/A', 'N/A', 'N/A', 'size_t', 'int'] 3 0 1774 300 66 11 0 171 84
ControlObjectClient_operateAsync /src/libiec61850/src/iec61850/client/client_control.c 6 ['N/A', 'N/A', 'N/A', 'size_t', 'N/A', 'N/A'] 9 0 153 14 6 106 0 429 76

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
54.0%
1169 / 2155
Cyclomatic complexity statically reachable by fuzzers
63.0%
7444 / 11816

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

build/../fuzz/fuzz_acse_parse.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['parseAarqPdu', 'Memory_calloc', 'ByteBuffer_create']

build/../fuzz/fuzz_pres_userdata.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


build/../fuzz/fuzz_mms_print.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


build/../fuzz/fuzz_mms_encode.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


build/../fuzz/fuzz_goose_subscriber.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['parseAllDataUnknownValue', 'GooseReceiver_destroy', 'Ethernet_setMode', 'getInterfaceIndex', 'Memory_calloc', 'LinkedList_create', 'GooseReceiver_create', 'GooseSubscriber_create', 'Ethernet_createSocket', 'Ethernet_setProtocolFilter']

build/../fuzz/fuzz_mms_decode.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['Memory_calloc', 'MmsValue_createEmptyArray', 'MmsValue_newBitString', 'Asn1PrimitiveValue_create', 'BerInteger_createInt64', 'MmsValue_newUnsigned', 'MmsValue_newOctetString', 'StringUtils_createStringFromBuffer']

build/../fuzz/fuzz_mms_server_decode_mms_pdu.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['mmsServer_handleStatusRequest', 'handleConfirmedRequestPdu', 'MmsServer_getValueFromCache', 'searchCacheForValue', 'mmsIsoCallback', 'IsoConnection_unlock', 'Control_processControlActions', 'MmsMapping_installHandlers', 'createNewConnectionObject', 'createNamedVariableFromLogicalNode']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
Ethernet_setMode 61 20 32.78% ['fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu']
Socket_activateTcpKeepAlive 32 16 50.0% ['fuzz_mms_server_decode_mms_pdu']
FunctionalConstraint_toString 43 10 23.25% ['fuzz_mms_server_decode_mms_pdu']
installDefaultValuesForDataObject 55 26 47.27% ['fuzz_mms_server_decode_mms_pdu']
updateDataSetsWithCachedValues 96 42 43.75% ['fuzz_mms_server_decode_mms_pdu']
Control_processControlActions 77 4 5.194% ['fuzz_mms_server_decode_mms_pdu']
createMmsDomainFromIedDevice 76 41 53.94% ['fuzz_mms_server_decode_mms_pdu']
createNamedVariableFromLogicalNode 227 102 44.93% ['fuzz_mms_server_decode_mms_pdu']
createNamedVariableFromDataAttribute 181 73 40.33% ['fuzz_mms_server_decode_mms_pdu']
ReportControl_getRCBValue 75 21 28.00% ['fuzz_mms_server_decode_mms_pdu']
updateOwner 69 10 14.49% ['fuzz_mms_server_decode_mms_pdu']
copyRCBValuesToTrackingObject 98 13 13.26% ['fuzz_mms_server_decode_mms_pdu']
updateGenericTrackingObjectValues 53 9 16.98% ['fuzz_mms_server_decode_mms_pdu']
processEventsForReport 77 3 3.896% ['fuzz_mms_server_decode_mms_pdu']
DataObject_create 37 17 45.94% ['fuzz_mms_server_decode_mms_pdu']
ModelNode_getChild 89 33 37.07% ['fuzz_mms_server_decode_mms_pdu']
IsoClientConnection_handleConnection 267 138 51.68% ['fuzz_mms_server_decode_mms_pdu']
IsoClientConnection_associateAsync 61 30 49.18% ['fuzz_mms_server_decode_mms_pdu']
sendBuffer 39 17 43.58% ['fuzz_mms_server_decode_mms_pdu']
mmsIsoCallback 368 101 27.44% ['fuzz_mms_server_decode_mms_pdu']
handleConfirmedRequestPdu 170 25 14.70% ['fuzz_mms_server_decode_mms_pdu']
IsoPresentation_parseUserData 76 37 48.68% ['fuzz_mms_server_decode_mms_pdu']
IsoPresentation_parseConnect 91 42 46.15% ['fuzz_mms_server_decode_mms_pdu']
IsoSession_parseMessage 75 28 37.33% ['fuzz_mms_server_decode_mms_pdu']
parseAcceptParameters 89 32 35.95% ['fuzz_mms_server_decode_mms_pdu']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/libiec61850/src/mms/iso_mms/server/mms_identify_service.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/Integer32.c [] []
/src/libiec61850/build/../fuzz/fuzz_acse_parse.c ['fuzz_acse_parse'] []
/src/libiec61850/src/common/simple_allocator.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/server/model/model.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_get_var_access_service.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_common.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/server/mms_access_result.c ['fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_decode']
/src/libiec61850/src/mms/iso_mms/server/mms_device.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/BIT_STRING.c [] []
/src/libiec61850/src/mms/iso_mms/server/mms_journal.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_journals.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/client/client_report.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_acse/acse.c ['fuzz_acse_parse', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_acse_parse', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/ber_tlv_tag.c [] []
/src/libiec61850/src/common/buffer_chain.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/hal/filesystem/linux/file_provider_linux.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/server/mms_server.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/build/../fuzz/fuzz_mms_server_decode_mms_pdu.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/constr_CHOICE.c [] []
/src/libiec61850/src/iec61850/server/mms_mapping/reporting.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/client/mms_client_get_namelist.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/DefineNamedVariableListResponse.c [] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_write.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/ber_tlv_length.c [] []
/src/libiec61850/src/common/string_utilities.c ['fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_journal_service.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/der_encoder.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/ConcludeRequestPDU.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/Unsigned8.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/TimeOfDay.c [] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_read.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/xer_support.c [] []
/src/libiec61850/src/mms/iso_mms/server/mms_server_connection.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/iec61850/client/client_control.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/common/mms_value.c ['fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/iec61850/server/model/cdc.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/hal/time/unix/time.c ['fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_server/iso_server.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/InitiateErrorPdu.c [] []
/src/libiec61850/src/common/linked_list.c ['fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/common/mms_common_msg.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/server/mms_mapping/control.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/ServiceSupportOptions.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/INTEGER.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/BOOLEAN.c [] []
/src/libiec61850/src/mms/asn1/asn1_ber_primitive_value.c ['fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_write_service.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/UTF8String.c [] []
/src/libiec61850/build/../fuzz/fuzz_goose_subscriber.c ['fuzz_goose_subscriber'] []
/src/libiec61850/src/goose/goose_subscriber.c ['fuzz_goose_subscriber'] ['fuzz_goose_subscriber']
/src/libiec61850/src/mms/iso_mms/asn1c/Integer8.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/GetNamedVariableListAttributesRequest.c [] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_status.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/client/ied_connection.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_status_service.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_information_report.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/server/mms_mapping/logging.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/client/mms_client_initiate.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/UtcTime.c [] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_files.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/asn1/ber_integer.c ['fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_cotp/cotp.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/build/../fuzz/fuzz_mms_print.c ['fuzz_mms_print'] []
/src/libiec61850/src/iec61850/server/impl/client_connection.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/build/../fuzz/fuzz_mms_decode.c ['fuzz_mms_decode'] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_named_variable_list.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/server/mms_server_common.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_session/iso_session.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/hal/memory/lib_memory.c ['fuzz_acse_parse', 'fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_acse_parse', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/constr_SEQUENCE_OF.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/constr_TYPE.c [] []
/src/libiec61850/src/goose/goose_publisher.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/server/mms_mapping/mms_sv.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/common/conversions.c ['fuzz_mms_print', 'fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber']
/src/libiec61850/src/mms/iso_mms/asn1c/FloatingPoint.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/GeneralizedTime.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/asn_codecs_prim.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/asn_internal.h ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/build/../fuzz/fuzz_mms_encode.c ['fuzz_mms_encode'] []
/src/libiec61850/src/mms/iso_mms/server/mms_named_variable_list.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/OCTET_STRING.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/Identifier.c [] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_connection.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_association_service.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/asn1/ber_decode.c ['fuzz_acse_parse', 'fuzz_pres_userdata', 'fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_acse_parse', 'fuzz_pres_userdata', 'fuzz_goose_subscriber', 'fuzz_mms_decode', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/logging/log_storage.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/DataAccessError.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/constraints.c [] []
/src/libiec61850/src/mms/iso_mms/server/mms_get_namelist_service.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/common/iec61850_common.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/iec61850/server/impl/ied_server.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/xer_decoder.c [] []
/src/libiec61850/src/mms/iso_mms/server/mms_domain.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_server/iso_connection.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/ParameterSupportOptions.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/ConcludeResponsePDU.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/ber_decoder.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_identify.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/server/model/dynamic_model.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/NativeInteger.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/MMSString.c [] []
/src/libiec61850/src/goose/goose_receiver.c ['fuzz_goose_subscriber'] ['fuzz_goose_subscriber']
/src/libiec61850/src/mms/iso_common/iso_connection_parameters.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/asn1/ber_encoder.c ['fuzz_mms_print', 'fuzz_mms_encode', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/hal/thread/linux/thread_linux.c ['fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_read_service.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/DeleteNamedVariableListRequest.c [] []
/src/libiec61850/src/common/byte_buffer.c ['fuzz_acse_parse', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_acse_parse', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/Unsigned32.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/Integer16.c [] []
/src/libiec61850/src/mms/iso_mms/client/mms_client_get_var_access.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/VisibleString.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/RejectPDU.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/per_support.c [] []
/src/libiec61850/build/../fuzz/fuzz_pres_userdata.c ['fuzz_pres_userdata'] []
/src/libiec61850/src/mms/iso_presentation/iso_presentation.c ['fuzz_pres_userdata', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_pres_userdata', 'fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_value_cache.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/common/string_map.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/hal/socket/linux/socket_linux.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/NULL.c [] []
/src/libiec61850/src/mms/iso_mms/asn1c/constr_SET_OF.c [] []
/src/libiec61850/src/common/map.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/hal/ethernet/linux/ethernet_linux.c ['fuzz_goose_subscriber', 'fuzz_mms_server_decode_mms_pdu'] ['fuzz_goose_subscriber']
/src/libiec61850/src/mms/iso_mms/common/mms_type_spec.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/asn1c/asn_SET_OF.c [] []
/src/libiec61850/src/mms/iso_client/iso_client_connection.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/iec61850/server/mms_mapping/mms_goose.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/mms/iso_mms/asn1c/constr_SEQUENCE.c [] []
/src/libiec61850/src/mms/iso_mms/server/mms_file_service.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']
/src/libiec61850/src/mms/iso_mms/server/mms_named_variable_list_service.c ['fuzz_mms_server_decode_mms_pdu'] []
/src/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c ['fuzz_mms_server_decode_mms_pdu'] ['fuzz_mms_server_decode_mms_pdu']

Directories in report

Directory
/src/libiec61850/hal/socket/linux/
/src/libiec61850/hal/time/unix/
/src/libiec61850/src/iec61850/client/
/src/libiec61850/src/mms/iso_server/
/src/libiec61850/src/common/
/src/libiec61850/src/mms/iso_presentation/
/src/libiec61850/src/iec61850/server/model/
/src/libiec61850/src/goose/
/src/libiec61850/hal/memory/
/src/libiec61850/hal/filesystem/linux/
/src/libiec61850/src/logging/
/src/libiec61850/src/mms/iso_mms/asn1c/
/src/libiec61850/src/mms/asn1/
/src/libiec61850/src/iec61850/common/
/src/libiec61850/src/iec61850/server/mms_mapping/
/src/libiec61850/hal/ethernet/linux/
/src/libiec61850/src/mms/iso_mms/client/
/src/libiec61850/src/mms/iso_common/
/src/libiec61850/src/mms/iso_acse/
/src/libiec61850/src/mms/iso_client/
/src/libiec61850/src/mms/iso_mms/common/
/src/libiec61850/src/mms/iso_mms/server/
/src/libiec61850/hal/thread/linux/
/src/libiec61850/build/../fuzz/
/src/libiec61850/src/mms/iso_cotp/
/src/libiec61850/src/mms/iso_session/
/src/libiec61850/src/iec61850/server/impl/