Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libssh
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: ssh_known_hosts_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: ssh_client_config_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: ssh_client_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: ssh_server_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: ssh_bind_config_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-03-26

Project overview: libssh

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
54.6%
475/869
Cyclomatic complexity statically reachable by fuzzers
57.2%
3999/6991
Runtime code coverage of functions
50.0%
434 / 869

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
ssh_known_hosts_fuzzer tests/fuzz/ssh_known_hosts_fuzzer.c 172 929 9 20 1672 785 ssh_known_hosts_fuzzer.c
ssh_client_config_fuzzer tests/fuzz/ssh_client_config_fuzzer.c 295 805 10 30 5295 1987 ssh_client_config_fuzzer.c
ssh_client_fuzzer tests/fuzz/ssh_client_fuzzer.c 570 533 20 49 9046 3648 ssh_client_fuzzer.c
ssh_server_fuzzer tests/fuzz/ssh_server_fuzzer.c 506 613 18 46 9328 3589 ssh_server_fuzzer.c
ssh_bind_config_fuzzer tests/fuzz/ssh_bind_config_fuzzer.c 264 852 16 30 4484 1743 ssh_bind_config_fuzzer.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: ssh_known_hosts_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 95 25.4%
gold [1:9] 17 4.55%
yellow [10:29] 3 0.80%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 258 69.1%
All colors 373 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 21 4 :

['ssh_threads_finalize', 'ssh_socket_cleanup', 'ssh_crypto_finalize', 'ssh_dh_finalize']

21 33 _ssh_finalize call site: 00362 /src/libssh/src/init.c:165
10 10 1 :

['ssh_pki_key_ecdsa_name']

10 140 pki_import_pubkey_buffer call site: 00282 /src/libssh/src/pki.c:1346
10 10 1 :

['ssh_dh_finalize']

10 10 ssh_dh_init call site: 00044 /src/libssh/src/dh.c:260
7 42 3 :

['ssh_strerror', '_ssh_log', '__errno_location']

7 42 ssh_known_hosts_read_entries call site: 00058 /src/libssh/src/knownhosts.c:236
6 6 1 :

['buffer_shift']

6 19 ssh_buffer_add_data call site: 00096 /src/libssh/src/buffer.c:318
6 6 1 :

['buffer_shift']

6 19 ssh_buffer_allocate_size call site: 00082 /src/libssh/src/buffer.c:347
6 6 2 :

['BN_cmp', 'EC_KEY_get0_private_key']

6 6 pki_key_compare call site: 00346 /src/libssh/src/pki_crypto.c:841
4 39 3 :

['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']

4 39 ssh_crypto_init call site: 00016 /src/libssh/src/libcrypto.c:1381
4 4 1 :

['ssh_key_is_private']

6 70 ssh_key_cmp call site: 00330 /src/libssh/src/pki.c:686
4 4 2 :

['EVP_PKEY_free', 'RSA_free']

4 4 pki_pubkey_build_rsa call site: 00248 /src/libssh/src/pki_crypto.c:1272
2 2 1 :

['explicit_bzero']

2 28 ssh_key_clean call site: 00303 /src/libssh/src/pki.c:160
2 2 1 :

['abort']

2 2 ssh_buffer_unpack_va call site: 00232 /src/libssh/src/buffer.c:1258

Runtime coverage analysis

Covered functions
81
Functions that are reachable but not covered
92
Reachable functions
172
Percentage of reachable functions covered
46.51%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_known_hosts_fuzzer.c 1
src/init.c 4
src/threads/pthread.c 3
src/threads.c 2
src/threads/libcrypto.c 2
src/libcrypto.c 5
src/log.c 9
src/dh.c 2
src/socket.c 2
src/poll.c 2
src/knownhosts.c 7
src/misc.c 8
src/base64.c 4
src/buffer.c 19
src/match.c 3
src/pki.c 11
src/string.c 7
src/bignum.c 1
src/pki_crypto.c 6
src/pki_ed25519_common.c 1

Fuzzer: ssh_client_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 453 69.6%
gold [1:9] 56 8.61%
yellow [10:29] 90 13.8%
greenyellow [30:49] 11 1.69%
lawngreen 50+ 40 6.15%
All colors 650 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
71 71 1 :

['ssh_message_free']

94 228 ssh_free call site: 00164 /src/libssh/src/session.c:250
30 41 7 :

['ssh_get_local_username', 'strdup', 'strlen', '_ssh_set_error_oom', 'gethostname', 'realloc', 'strncpy']

30 206 ssh_path_expand_escape call site: 00442 /src/libssh/src/misc.c:1229
23 23 1 :

['ssh_poll_ctx_free']

117 719 ssh_free call site: 00100 /src/libssh/src/session.c:221
21 21 1 :

['ssh_kbdint_free']

23 139 ssh_free call site: 00171 /src/libssh/src/session.c:261
21 21 4 :

['ssh_threads_finalize', 'ssh_socket_cleanup', 'ssh_crypto_finalize', 'ssh_dh_finalize']

21 33 _ssh_finalize call site: 00640 /src/libssh/src/init.c:165
20 20 8 :

['_exit', 'execv', 'strdup', 'signal', 'dup2', 'getpid', 'exit', 'kill']

63 308 ssh_exec_shell call site: 00463 /src/libssh/src/config.c:345
16 16 1 :

['ssh_poll_free']

29 134 ssh_socket_close call site: 00104 /src/libssh/src/socket.c:480
12 12 3 :

['free', '_ssh_set_error_oom', 'strdup']

12 12 ssh_options_set call site: 00197 /src/libssh/src/options.c:575
10 10 1 :

['ssh_dh_finalize']

10 10 ssh_dh_init call site: 00040 /src/libssh/src/dh.c:260
6 6 1 :

['buffer_shift']

6 19 ssh_buffer_allocate_size call site: 00061 /src/libssh/src/buffer.c:347
4 39 4 :

['_ssh_log', 'free', 'strtol', 'strdup']

4 39 ssh_config_parse_uri call site: 00569 /src/libssh/src/config_parser.c:243
4 39 3 :

['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']

4 39 ssh_crypto_init call site: 00012 /src/libssh/src/libcrypto.c:1381

Runtime coverage analysis

Covered functions
67
Functions that are reachable but not covered
229
Reachable functions
295
Percentage of reachable functions covered
22.37%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_client_config_fuzzer.c 1
src/init.c 4
src/threads/pthread.c 3
src/threads.c 2
src/threads/libcrypto.c 2
src/libcrypto.c 2
src/log.c 10
src/dh.c 2
src/socket.c 6
src/poll.c 6
src/session.c 3
src/wrapper.c 4
src/error.c 3
src/buffer.c 5
src/misc.c 15
src/agent.c 3
src/channels.c 1
src/pcap.c 1
src/pki.c 2
src/pki_crypto.c 1
src/string.c 4
src/dh_crypto.c 1
src/messages.c 1
src/auth.c 2
src/options.c 2
src/kex.c 6
src/token.c 7
src/config.c 11
src/config_parser.c 6
src/match.c 3

Fuzzer: ssh_client_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1243 60.0%
gold [1:9] 66 3.18%
yellow [10:29] 69 3.33%
greenyellow [30:49] 15 0.72%
lawngreen 50+ 677 32.7%
All colors 2070 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
6187 8442 8 :

['_ssh_buffer_unpack', 'ssh_packet_send', 'strcmp', '_ssh_set_error_oom', 'ssh_message_new', 'ssh_message_global_request_reply_success', 'ssh_message_queue', 'ssh_buffer_add_u8']

6187 8687 ssh_packet_global_request call site: 00000 /src/libssh/src/messages.c:1511
1906 1976 2 :

['_ssh_log', 'ssh_send_rekex']

1906 1976 ssh_packet_socket_callback call site: 01506 /src/libssh/src/packet.c:1371
762 775 10 :

['known_hosts_read_line', 'fclose', 'strcspn', 'ssh_list_new', 'ssh_known_hosts_entries_compare', 'ssh_list_append', 'ssh_knownhosts_entry_free', 'ssh_known_hosts_parse_line', 'ssh_list_get_iterator', '__ctype_b_loc']

762 775 ssh_known_hosts_read_entries call site: 00936 /src/libssh/src/knownhosts.c:236
251 251 2 :

['ssh_pcap_context_write', 'strlen']

251 251 ssh_send_banner call site: 00699 /src/libssh/src/client.c:228
247 249 2 :

['ssh_pcap_context_write', 'ssh_buffer_get']

2282 8702 ssh_packet_socket_callback call site: 00848 /src/libssh/src/packet.c:1268
247 247 1 :

['ssh_pcap_context_write']

247 1212 packet_send2 call site: 01259 /src/libssh/src/packet.c:1683
222 258 9 :

['strncat', 'strlen', 'ssh_knownhosts_entry_free', 'ssh_list_remove', 'ssh_known_host_sigs_from_hostkey_type', 'ssh_remove_duplicates', 'ssh_list_get_iterator', 'ssh_list_free', 'ssh_list_count']

222 258 ssh_known_hosts_get_algorithms_names call site: 01159 /src/libssh/src/knownhosts.c:571
123 170 6 :

['free', '_ssh_set_error_oom', 'ssh_append_without_duplicates', 'FIPS_mode', 'ssh_keep_fips_algos', 'ssh_find_all_matching']

123 310 ssh_client_select_hostkeys call site: 00928 /src/libssh/src/kex.c:617
91 91 1 :

['ssh_add_to_default_algos']

145 228 ssh_options_set_algo call site: 00266 /src/libssh/src/options.c:239
54 54 1 :

['ssh_remove_from_default_algos']

108 191 ssh_options_set_algo call site: 00267 /src/libssh/src/options.c:241
35 35 1 :

['_ssh_set_error_invalid']

35 35 channel_default_bufferize call site: 00000 /src/libssh/src/channels.c:929
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_options_set call site: 00193 /src/libssh/src/options.c:562

Runtime coverage analysis

Covered functions
321
Functions that are reachable but not covered
314
Reachable functions
570
Percentage of reachable functions covered
44.91%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_client_fuzzer.c 2
src/init.c 5
src/threads/pthread.c 3
src/threads.c 3
src/threads/libcrypto.c 2
src/libcrypto.c 8
src/log.c 12
src/dh.c 5
src/socket.c 23
src/poll.c 26
src/session.c 10
src/wrapper.c 10
src/error.c 4
src/buffer.c 31
src/misc.c 24
src/agent.c 3
src/channels.c 30
src/pcap.c 5
src/pki.c 13
src/pki_crypto.c 8
src/string.c 9
src/dh_crypto.c 6
src/messages.c 1
src/auth.c 6
src/options.c 4
src/kex.c 18
src/token.c 8
src/callbacks.c 5
src/client.c 11
src/config.c 11
src/config_parser.c 6
src/match.c 3
src/bignum.c 2
src/packet.c 18
src/packet_crypt.c 4
src/crypto_common.c 1
src/gzip.c 6
src/getrandom_crypto.c 1
src/knownhosts.c 10
src/base64.c 4
src/pki_ed25519_common.c 2
src/server.c 1
src/md_crypto.c 16
src/kdf.c 4
src/dh-gex.c 1
src/ecdh_crypto.c 3
src/curve25519.c 2
src/connect.c 4
src/connector.c 19

Fuzzer: ssh_server_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1144 58.3%
gold [1:9] 12 0.61%
yellow [10:29] 12 0.61%
greenyellow [30:49] 9 0.45%
lawngreen 50+ 784 39.9%
All colors 1961 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2095 2095 1 :

['ssh_execute_server_request']

2095 2095 ssh_execute_server_callbacks call site: 00000 /src/libssh/src/messages.c:369
1961 1961 1 :

['ssh_execute_message_callback']

1961 1961 ssh_message_queue call site: 00000 /src/libssh/src/messages.c:436
1932 2003 3 :

['ssh_message_reply_default', 'ssh_message_free', '_ssh_set_error_oom']

1932 2003 ssh_message_queue call site: 00000 /src/libssh/src/messages.c:454
1906 1976 2 :

['_ssh_log', 'ssh_send_rekex']

1906 1976 ssh_packet_socket_callback call site: 01766 /src/libssh/src/packet.c:1371
1714 1714 3 :

['ssh_bind_options_expand_escape', 'ssh_bind_config_parse_file', 'free']

1714 1714 ssh_bind_options_parse_config call site: 00767 /src/libssh/src/options.c:2376
629 629 1 :

['ssh_pki_openssh_privkey_import']

629 629 ssh_pki_import_privkey_base64 call site: 00201 /src/libssh/src/pki.c:817
251 251 2 :

['ssh_pcap_context_write', 'strlen']

251 251 ssh_send_banner call site: 00968 /src/libssh/src/client.c:228
247 249 2 :

['ssh_pcap_context_write', 'ssh_buffer_get']

2153 8702 ssh_packet_socket_callback call site: 01107 /src/libssh/src/packet.c:1268
247 247 1 :

['ssh_pcap_context_write']

247 1212 packet_send2 call site: 01525 /src/libssh/src/packet.c:1683
98 98 5 :

['fclose', 'free', 'ssh_retrieve_dhgroup_file', 'BN_clear_free', 'BN_hex2bn']

98 98 ssh_retrieve_dhgroup call site: 00000 /src/libssh/src/dh-gex.c:527
91 91 1 :

['ssh_add_to_default_algos']

145 228 ssh_options_set_algo call site: 00659 /src/libssh/src/options.c:239
81 478 2 :

['ssh_make_sessionid', 'crypt_set_algorithms_client']

81 741 ssh_packet_set_newkeys call site: 01558 /src/libssh/src/packet.c:1950

Runtime coverage analysis

Covered functions
299
Functions that are reachable but not covered
276
Reachable functions
506
Percentage of reachable functions covered
45.45%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_server_fuzzer.c 3
src/bind.c 4
src/session.c 7
src/wrapper.c 11
src/socket.c 15
src/error.c 4
src/buffer.c 31
src/misc.c 23
src/agent.c 3
src/channels.c 1
src/pcap.c 5
src/poll.c 19
src/log.c 10
src/pki.c 21
src/pki_crypto.c 16
src/string.c 9
src/dh_crypto.c 5
src/messages.c 1
src/auth.c 2
src/options.c 9
src/pki_container_openssh.c 4
src/base64.c 4
src/bignum.c 2
src/libcrypto.c 7
src/external/bcrypt_pbkdf.c 2
src/md_crypto.c 16
src/external/blowfish.c 6
src/pki_ed25519_common.c 3
src/kex.c 18
src/token.c 8
src/server.c 7
src/bind_config.c 6
src/config_parser.c 2
src/client.c 2
src/packet.c 18
src/packet_crypt.c 4
src/crypto_common.c 1
src/gzip.c 6
src/getrandom_crypto.c 1
src/knownhosts.c 10
src/match.c 3
src/dh.c 3
src/kdf.c 4
src/dh-gex.c 1
src/ecdh.c 1
src/curve25519.c 1

Fuzzer: ssh_bind_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 579 76.4%
gold [1:9] 39 5.15%
yellow [10:29] 17 2.24%
greenyellow [30:49] 9 1.18%
lawngreen 50+ 113 14.9%
All colors 757 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_config_parse_line call site: 00064 /src/libssh/src/bind_config.c:309
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00579 /src/libssh/src/options.c:2031
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00590 /src/libssh/src/options.c:2084
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00592 /src/libssh/src/options.c:2099
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00659 /src/libssh/src/options.c:2114
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00661 /src/libssh/src/options.c:2129
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00663 /src/libssh/src/options.c:2144
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00676 /src/libssh/src/options.c:2175
35 35 1 :

['_ssh_set_error_invalid']

35 35 ssh_bind_options_set call site: 00678 /src/libssh/src/options.c:2190
21 21 4 :

['ssh_threads_finalize', 'ssh_socket_cleanup', 'ssh_crypto_finalize', 'ssh_dh_finalize']

21 33 _ssh_finalize call site: 00747 /src/libssh/src/init.c:165
10 10 1 :

['ssh_dh_finalize']

10 10 ssh_dh_init call site: 00040 /src/libssh/src/dh.c:260
6 6 1 :

['ssh_log_custom']

6 6 ssh_log_function call site: 00019 /src/libssh/src/log.c:118

Runtime coverage analysis

Covered functions
50
Functions that are reachable but not covered
215
Reachable functions
264
Percentage of reachable functions covered
18.56%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_bind_config_fuzzer.c 1
src/init.c 4
src/threads/pthread.c 3
src/threads.c 2
src/threads/libcrypto.c 2
src/libcrypto.c 3
src/log.c 10
src/dh.c 2
src/socket.c 2
src/poll.c 2
src/bind.c 2
src/bind_config.c 6
src/error.c 3
src/config_parser.c 2
src/options.c 5
src/pki.c 15
src/misc.c 3
src/pki_container_openssh.c 4
src/base64.c 4
src/buffer.c 19
src/string.c 7
src/bignum.c 1
src/pki_crypto.c 13
src/external/bcrypt_pbkdf.c 2
src/md_crypto.c 3
src/external/blowfish.c 6
src/wrapper.c 1
src/pki_ed25519_common.c 1
src/kex.c 6
src/token.c 7

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
ssh_userauth_publickey_auto /src/libssh/src/auth.c 3 ['struct.ssh_session_struct.862 *', 'char *', 'char *'] 10 0 763 108 37 461 0 3054 550
ssh_packet_userauth_request /src/libssh/src/messages.c 4 ['struct.ssh_session_struct *', 'char ', 'struct.ssh_buffer_struct *', 'char *'] 8 0 714 143 41 372 0 2436 336
ssh_packet_server_dhgex_request /src/libssh/src/dh-gex.c 4 ['struct.ssh_session_struct *', 'char ', 'struct.ssh_buffer_struct *', 'char *'] 7 0 301 51 18 326 0 2011 95
ssh_pki_export_privkey_file /src/libssh/src/pki.c 5 ['struct.ssh_key_struct *', 'char *', 'func_type *', 'char *', 'char *'] 8 0 163 26 10 113 0 490 85
ssh_packet_server_dh_init /src/libssh/src/dh.c 4 ['struct.ssh_session_struct *', 'char ', 'struct.ssh_buffer_struct *', 'char *'] 11 0 31 3 2 362 0 2242 69
channel_rcv_request /src/libssh/src/channels.c 4 ['struct.ssh_session_struct *', 'char ', 'struct.ssh_buffer_struct *', 'char *'] 7 0 731 134 42 340 0 2206 68
ssh_channel_select /src/libssh/src/channels.c 4 ['struct.ssh_channel_struct **', 'struct.ssh_channel_struct **', 'struct.ssh_channel_struct **', 'struct.ssh_timestamp *'] 5 0 642 128 37 87 0 397 63
ssh_session_update_known_hosts /src/libssh/src/knownhosts.c 1 ['struct.ssh_session_struct *'] 8 0 283 43 15 124 0 765 59
ssh_packet_kexinit /src/libssh/src/kex.c 4 ['struct.ssh_session_struct.121 *', 'char ', 'struct.ssh_buffer_struct *', 'char *'] 3 0 837 134 43 53 0 234 54
ssh_packet_server_curve25519_init /src/libssh/src/curve25519.c 4 ['struct.ssh_session_struct *', 'char ', 'struct.ssh_buffer_struct *', 'char *'] 7 0 419 69 25 365 0 2254 45

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
67.5%
587/869
Cyclomatic complexity statically reachable by fuzzers
76.6%
5361 / 6991

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
ssh_dh_init 36 19 52.77% ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer']
hmac_init 38 17 44.73% ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
pki_pubkey_build_rsa 33 18 54.54% ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_config_parse_line 567 233 41.09% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_exec_shell 72 23 31.94% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_config_parse_proxy_jump 72 37 51.38% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_config_parse_uri 82 21 25.60% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_path_expand_escape 130 57 43.84% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_options_set 613 136 22.18% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_socket_close 33 15 45.45% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_userauth_get_response 41 15 36.58% ['ssh_client_fuzzer']
ssh_channel_new 44 22 50.0% ['ssh_client_fuzzer']
ssh_packet_channel_open_conf 51 13 25.49% []
channel_default_bufferize 45 16 35.55% []
ssh_connect 114 62 54.38% ['ssh_client_fuzzer']
ssh_curve25519_init 59 31 52.54% ['ssh_client_fuzzer']
sshkdf_derive_key 38 19 50.0% ['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_client_select_hostkeys 70 27 38.57% ['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_hashbufout_add_cookie 31 17 54.83% ['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_known_hosts_get_algorithms_names 75 25 33.33% ['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_message_free 56 24 42.85% ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_channel_open 87 21 24.13% []
ssh_packet_global_request 110 21 19.09% []
ssh_options_apply 94 47 50.0% ['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_send 59 21 35.59% ['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_encrypt 90 37 41.11% ['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_key_signature_to_char 33 16 48.48% []
ssh_bind_accept_fd 114 45 39.47% ['ssh_server_fuzzer']
ssh_bind_import_keys 70 20 28.57% ['ssh_server_fuzzer']
ssh_retrieve_dhgroup 52 16 30.76% []
ssh_message_queue 35 18 51.42% []
ssh_bind_options_set 363 131 36.08% ['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_pki_import_privkey_file 63 27 42.85% ['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_pki_export_signature_blob 47 25 53.19% []
pki_key_dup 176 66 37.5% ['ssh_server_fuzzer']
pki_private_key_from_base64 108 35 32.40% ['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
pki_sign_data 82 44 53.65% []
ssh_get_key_params 44 20 45.45% []

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/libssh/src/threads.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/dh-gex.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/socket.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/packet.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/tests/fuzz/ssh_known_hosts_fuzzer.c ['ssh_known_hosts_fuzzer'] ['ssh_known_hosts_fuzzer']
/src/libssh/src/channels.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer']
/src/libssh/src/dh.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/session.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/pcap.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] []
/src/libssh/src/string.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/external/bcrypt_pbkdf.c ['ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] []
/src/libssh/src/dh_crypto.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/connect.c ['ssh_client_fuzzer'] []
/src/libssh/src/bind.c ['ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/threads/pthread.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/misc.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/config.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer'] ['ssh_client_config_fuzzer']
/src/libssh/src/buffer.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/kdf.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/packet_cb.c [] []
/src/libssh/src/connector.c ['ssh_client_fuzzer'] []
/src/libssh/src/callbacks.c ['ssh_client_fuzzer'] ['ssh_client_fuzzer']
/src/libssh/src/bind_config.c ['ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_bind_config_fuzzer']
/src/libssh/src/pki_container_openssh.c ['ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] []
/src/libssh/src/threads/libcrypto.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/libcrypto.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/match.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer']
/src/libssh/src/ecdh.c ['ssh_server_fuzzer'] ['ssh_server_fuzzer']
/src/libssh/src/messages.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/tests/fuzz/ssh_client_fuzzer.c ['ssh_client_fuzzer'] ['ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_server_fuzzer.c ['ssh_server_fuzzer'] ['ssh_server_fuzzer']
/src/libssh/tests/fuzz/ssh_bind_config_fuzzer.c ['ssh_bind_config_fuzzer'] ['ssh_bind_config_fuzzer']
/src/libssh/src/bignum.c ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/options.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/wrapper.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/auth.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/agent.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/packet_crypt.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/server.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/error.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/pki_ed25519_common.c ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/getrandom_crypto.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/config_parser.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/crypto_common.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] []
/src/libssh/src/log.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/md_crypto.c ['ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/gzip.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/poll.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/client.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/base64.c ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer']
/src/libssh/src/kex.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/external/blowfish.c ['ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] []
/src/libssh/src/pki.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/tests/fuzz/ssh_client_config_fuzzer.c ['ssh_client_config_fuzzer'] ['ssh_client_config_fuzzer']
/src/libssh/src/knownhosts.c ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/init.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_bind_config_fuzzer']
/src/libssh/src/pki_crypto.c ['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/curve25519.c ['ssh_client_fuzzer', 'ssh_server_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/ecdh_crypto.c ['ssh_client_fuzzer'] ['ssh_client_fuzzer']
/src/libssh/src/token.c ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer'] ['ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']

Directories in report

Directory
/src/libssh/src/external/
/src/libssh/src/
/src/libssh/src/threads/
/src/libssh/tests/fuzz/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
ssh_known_hosts_fuzzer fuzzerLogFile-0-OARcqwQzhA.data fuzzerLogFile-0-OARcqwQzhA.data.yaml ssh_known_hosts_fuzzer.covreport
ssh_client_config_fuzzer fuzzerLogFile-0-xv3zEUgL7a.data fuzzerLogFile-0-xv3zEUgL7a.data.yaml ssh_client_config_fuzzer.covreport
ssh_client_fuzzer fuzzerLogFile-0-nZKvf6J7vB.data fuzzerLogFile-0-nZKvf6J7vB.data.yaml ssh_client_fuzzer.covreport
ssh_server_fuzzer fuzzerLogFile-0-DzKc7OvUi2.data fuzzerLogFile-0-DzKc7OvUi2.data.yaml ssh_server_fuzzer.covreport
ssh_bind_config_fuzzer fuzzerLogFile-0-fQHWhLKXRq.data fuzzerLogFile-0-fQHWhLKXRq.data.yaml ssh_bind_config_fuzzer.covreport

Function call coverage

This section shows a chosen list of functions / methods calls and their relative coverage information. By static analysis of the target project code, all of these function call and their caller information, including the source file or class and line number that initiate the call are captured. Column 1 is the function name of that selected functions or methods. Column 2 of each row indicate if the target function covered by any fuzzer calltree information. Column 3 lists all fuzzers (or no fuzzers at all) that have coered that particular function call dynamically. Column 4 shows list of parent function for the specific function call, while column 5 shows possible blocker functions that make the fuzzers fail to reach the specific functions. Both column 4 and 5 will only show information if none of the fuzzers cover the target function calls.

Function in each files in report

Target sink Callsite location Reached by fuzzer Function call path Covered by fuzzer Possible branch blockers
execv Not in fuzzer provided call tree ['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
Parent functions Callpaths
ssh_execute_command
in /src/libssh/src/socket.c:939
Path 1
ssh_exec_shell
in /src/libssh/src/config.c:370 		Path 1
Path 2
Path 3
0
Blocker function Arguments type Return type Constants touched
ssh_connect
in /src/libssh/src/client.c:516 		['struct.ssh_session_struct *'] int []
ssh_exec_shell
in /src/libssh/src/config.c:318 		['char *'] int []
ssh_bind_options_parse_config
in /src/libssh/src/options.c:2358 		['struct.ssh_bind_struct *', 'char *'] int []
ssh_exec_shell
in /src/libssh/src/config.c:318 		['char *'] int []