Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Report generation date: 2026-07-05

Project overview: libssh

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
54.0%
895 / 1644
Cyclomatic complexity statically reachable by fuzzers
56.9%
6646 / 11576
Runtime code coverage of functions
59.0%
977 / 1644

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: ssh_privkey_fuzzer_nalloc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 496 95.0%
gold [1:9] 4 0.76%
yellow [10:29] 1 0.19%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 21 4.02%
All colors 522 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
432 58 realloc call site: 00058 pki_openssh_import_privkey_blob
19 501 pki_private_key_from_base64 call site: 00501 ssh_key_free
18 8 _ssh_log call site: 00008 ssh_vlog
14 27 ssh_pki_import_privkey_base64 call site: 00027 ssh_pki_openssh_privkey_import
6 49 calloc call site: 00049 ssh_buffer_allocate_size
3 492 pki_private_key_from_base64 call site: 00492 pem_get_password
2 46 nalloc_fail call site: 00046 fprintf
1 56 realloc call site: 00056 __errno_location
1 496 pki_private_key_from_base64 call site: 00496 PEM_read_bio_PrivateKey

Runtime coverage analysis

Covered functions
32
Functions that are reachable but not covered
141
Reachable functions
155
Percentage of reachable functions covered
9.03%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_privkey_fuzzer.c 1
tests/fuzz/nallocinc.c 7
src/base64.c 6
src/pki.c 11
src/log.c 9
src/pki_container_openssh.c 4
src/buffer.c 19
src/string.c 7
src/bignum.c 1
src/pki_crypto.c 12
src/libcrypto.c 1
src/external/bcrypt_pbkdf.c 2
src/md_crypto.c 3
src/external/blowfish.c 6
src/wrapper.c 1

Fuzzer: ssh_sshsig_fuzzer_nalloc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 358 63.7%
gold [1:9] 20 3.55%
yellow [10:29] 33 5.87%
greenyellow [30:49] 11 1.95%
lawngreen 50+ 140 24.9%
All colors 562 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
251 300 sshsig_verify call site: 00300 ssh_pki_import_signature_blob
18 6 _ssh_log call site: 00006 ssh_vlog
18 173 ssh_pki_import_pubkey_blob call site: 00173 pki_import_cert_buffer
18 270 pki_key_clean call site: 00270 pki_import_pubkey_buffer
6 126 ssh_buffer_unpack_va call site: 00126 _ssh_log
4 99 ssh_buffer_unpack_va call site: 00099 ssh_buffer_get_ssh_string
4 202 pki_pubkey_build_rsa call site: 00202 BN_clear_free
4 262 pki_import_pubkey_buffer call site: 00262 ssh_buffer_get_ssh_string
3 241 pki_import_pubkey_buffer call site: 00241 ssh_buffer_get_ssh_string
3 257 pki_pubkey_build_ed25519 call site: 00257 _ssh_log
2 52 ssh_buffer_new call site: 00052 buffer_shift
2 91 ssh_buffer_unpack_va call site: 00091 ssh_buffer_get_u8

Runtime coverage analysis

Covered functions
69
Functions that are reachable but not covered
114
Reachable functions
165
Percentage of reachable functions covered
30.91%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_sshsig_fuzzer.c 1
tests/fuzz/nallocinc.c 7
src/pki.c 20
src/log.c 9
src/base64.c 4
src/buffer.c 27
src/string.c 9
src/bignum.c 3
src/pki_crypto.c 11
src/md_crypto.c 8
src/pki_ed25519_common.c 1

Fuzzer: ssh_client_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1042 99.5%
gold [1:9] 4 0.38%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1 0.09%
All colors 1047 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1016 30 realloc call site: 00030 ssh_config_parse_string
14 13 calloc call site: 00013 ssh_socket_new
6 6 calloc call site: 00006 nalloc_backtrace_exclude
5 0 EP call site: 00000 ssh_new
1 28 realloc call site: 00028 __errno_location

Runtime coverage analysis

Covered functions
21
Functions that are reachable but not covered
334
Reachable functions
337
Percentage of reachable functions covered
0.89%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_client_config_fuzzer.c 1
tests/fuzz/nallocinc.c 7
src/session.c 3
src/wrapper.c 4
src/socket.c 4
src/error.c 3
src/buffer.c 5
src/misc.c 30
src/agent.c 3
src/pki_context.c 3
src/channels.c 1
src/pcap.c 1
src/poll.c 5
src/log.c 12
src/pki.c 2
src/pki_crypto.c 1
src/string.c 4
src/dh_crypto.c 1
src/gzip.c 1
src/messages.c 1
src/auth.c 2
src/callbacks.c 1
src/options.c 4
src/config_parser.c 7
src/kex.c 6
src/token.c 7
src/config.c 21
src/match.c 8
src/md_crypto.c 4

Fuzzer: ssh_bind_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 832 99.4%
gold [1:9] 4 0.47%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1 0.11%
All colors 837 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
770 66 realloc call site: 00066 ssh_bind_config_parse_string
50 13 calloc call site: 00013 ssh_bind_options_set
6 6 calloc call site: 00006 nalloc_backtrace_exclude
5 0 EP call site: 00000 ssh_bind_new
1 64 realloc call site: 00064 __errno_location

Runtime coverage analysis

Covered functions
21
Functions that are reachable but not covered
299
Reachable functions
302
Percentage of reachable functions covered
0.99%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_bind_config_fuzzer.c 1
tests/fuzz/nallocinc.c 7
src/bind.c 2
src/options.c 5
src/error.c 3
src/log.c 10
src/pki.c 14
src/pki_container_openssh.c 4
src/base64.c 4
src/buffer.c 19
src/string.c 7
src/bignum.c 1
src/pki_crypto.c 14
src/libcrypto.c 1
src/external/bcrypt_pbkdf.c 2
src/md_crypto.c 3
src/external/blowfish.c 6
src/wrapper.c 1
src/misc.c 6
src/kex.c 6
src/token.c 7
src/bind_config.c 6
src/config_parser.c 4

Fuzzer: ssh_pubkey_fuzzer_nalloc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 425 65.3%
gold [1:9] 14 2.15%
yellow [10:29] 24 3.69%
greenyellow [30:49] 22 3.38%
lawngreen 50+ 165 25.3%
All colors 650 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
207 310 pki_import_cert_buffer call site: 00310 pki_openssh_import_privkey_blob
104 531 pki_private_key_from_base64 call site: 00531 ssh_pki_export_privkey_to_pubkey
23 243 pki_import_pubkey_buffer call site: 00243 ssh_buffer_get_ssh_string
18 27 _ssh_log call site: 00027 ssh_vlog
12 162 ssh_pki_openssh_import call site: 00162 ssh_pki_import_pubkey_blob
5 47 ssh_pki_import_pubkey_file call site: 00047 _ssh_log
4 119 ssh_buffer_unpack_va call site: 00119 ssh_buffer_get_ssh_string
4 148 ssh_buffer_unpack_va call site: 00148 _ssh_log
4 224 pki_pubkey_build_rsa call site: 00224 BN_clear_free
4 522 pki_private_key_from_base64 call site: 00522 pem_get_password
3 56 ssh_pki_import_pubkey_file call site: 00056 _ssh_log
3 193 ssh_key_type_from_name call site: 00193 pki_import_cert_buffer

Runtime coverage analysis

Covered functions
75
Functions that are reachable but not covered
122
Reachable functions
179
Percentage of reachable functions covered
31.84%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_pubkey_fuzzer.c 1
src/misc.c 2
tests/fuzz/nallocinc.c 8
src/pki.c 15
src/log.c 9
src/pki_container_openssh.c 4
src/base64.c 4
src/buffer.c 19
src/string.c 8
src/bignum.c 1
src/pki_crypto.c 13
src/libcrypto.c 1
src/external/bcrypt_pbkdf.c 2
src/md_crypto.c 3
src/external/blowfish.c 6
src/wrapper.c 1

Fuzzer: ssh_known_hosts_fuzzer_nalloc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 110 25.5%
gold [1:9] 13 3.01%
yellow [10:29] 8 1.85%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 300 69.6%
All colors 431 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
18 17 _ssh_log call site: 00017 ssh_vlog
13 237 ssh_buffer_unpack_va call site: 00237 _ssh_log
11 218 ssh_buffer_unpack_va call site: 00218 ssh_buffer_get_ssh_string
8 36 ssh_strict_fopen call site: 00036 _ssh_log
7 371 ssh_key_cmp call site: 00371 ssh_string_cmp
6 121 hmac_init call site: 00121 EVP_sha256
4 262 pki_pubkey_build_rsa call site: 00262 BN_clear_free
3 251 ssh_buffer_unpack_va call site: 00251 strlen
3 318 pki_pubkey_build_ed25519 call site: 00318 _ssh_log
2 12 ssh_strict_fopen call site: 00012 ssh_strerror
2 84 ssh_buffer_new call site: 00084 buffer_shift
2 314 pki_pubkey_build_ed25519 call site: 00314 _ssh_log

Runtime coverage analysis

Covered functions
101
Functions that are reachable but not covered
90
Reachable functions
177
Percentage of reachable functions covered
49.15%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_known_hosts_fuzzer.c 1
tests/fuzz/nallocinc.c 7
src/knownhosts.c 7
src/misc.c 9
src/log.c 9
src/base64.c 4
src/buffer.c 19
src/libcrypto.c 4
src/match.c 3
src/pki.c 11
src/string.c 8
src/bignum.c 1
src/pki_crypto.c 6
src/init.c 2
src/threads/pthread.c 2
src/dh.c 1
src/socket.c 1
src/poll.c 1
src/threads.c 1
src/threads/libcrypto.c 1

Fuzzer: ssh_sftp_attr_fuzzer_nalloc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 137 38.7%
gold [1:9] 0 0.0%
yellow [10:29] 3 0.84%
greenyellow [30:49] 9 2.54%
lawngreen 50+ 205 57.9%
All colors 354 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
20 93 _ssh_log call site: 00093 _ssh_log
14 170 ssh_free call site: 00170 ssh_message_free
13 79 ssh_socket_close call site: 00079 ssh_poll_free
13 310 ssh_buffer_unpack_va call site: 00310 _ssh_log
8 62 ssh_free call site: 00062 ssh_channel_do_free
8 130 ssh_string_len call site: 00130 ssh_string_burn
7 298 ssh_buffer_unpack_va call site: 00298 ssh_buffer_get_ssh_string
6 123 crypto_free call site: 00123 ssh_key_clean
6 325 sftp_parse_attr_3 call site: 00325 sftp_parse_longname
4 147 crypto_free call site: 00147 deflateEnd
4 290 ssh_buffer_unpack_va call site: 00290 ssh_buffer_get_u8
2 22 ssh_buffer_new call site: 00022 buffer_shift

Runtime coverage analysis

Covered functions
86
Functions that are reachable but not covered
58
Reachable functions
126
Percentage of reachable functions covered
53.97%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_sftp_attr_fuzzer.c 2
tests/fuzz/nallocinc.c 7
src/session.c 3
src/wrapper.c 4
src/socket.c 4
src/error.c 2
src/buffer.c 16
src/misc.c 10
src/agent.c 3
src/pki_context.c 2
src/channels.c 1
src/pcap.c 1
src/poll.c 5
src/log.c 11
src/pki.c 2
src/pki_crypto.c 1
src/string.c 7
src/dh_crypto.c 1
src/gzip.c 1
src/messages.c 1
src/auth.c 2
src/callbacks.c 1
src/sftp_common.c 5
src/bignum.c 1
src/client.c 1
src/sftp.c 1

Fuzzer: ssh_scp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3104 66.7%
gold [1:9] 0 0.0%
yellow [10:29] 4 0.08%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1539 33.1%
All colors 4647 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
411 3103 ssh_mutex_unlock call site: 03103 ssh_options_parse_config
194 3974 ssh_userauth_get_response call site: 03974 ssh_userauth_agent_publickey
141 3616 ssh_connect call site: 03616 ssh_userauth_publickey_auto
109 1009 ssh_options_set call site: 01009 ssh_options_set
107 4529 ssh_scp_init call site: 04529 ssh_scp_init
106 4346 ssh_channel_send_eof call site: 04346 ssh_event_add_connector
86 1732 hmac_final call site: 01732 ssh_pki_import_pubkey_base64
85 550 pki_import_privkey_buffer call site: 00550 pki_buffer_unpack_sk_priv_data
81 3522 ssh_connect call site: 03522 ssh_socket_connect_proxyjump
66 469 pki_private_key_decrypt call site: 00469 _ssh_buffer_unpack
62 1237 ssh_string_copy call site: 01237 ssh_key_free
62 2364 ssh_curve25519_init call site: 02364 ssh_packet_send

Runtime coverage analysis

Covered functions
804
Functions that are reachable but not covered
487
Reachable functions
1041
Percentage of reachable functions covered
53.22%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_scp_fuzzer.c 3
tests/fuzz/nallocinc.c 11
tests/fuzz/ssh_server_mock.c 3
src/bind.c 4
src/session.c 9
src/wrapper.c 10
src/socket.c 24
src/error.c 4
src/buffer.c 31
src/misc.c 43
src/agent.c 11
src/pki_context.c 3
src/channels.c 32
src/pcap.c 5
src/poll.c 26
src/log.c 12
src/pki.c 43
src/pki_crypto.c 22
src/string.c 12
src/dh_crypto.c 6
src/gzip.c 4
src/messages.c 1
src/auth.c 15
src/callbacks.c 6
src/options.c 10
src/pki_container_openssh.c 5
src/base64.c 6
src/bignum.c 3
src/libcrypto.c 7
src/external/bcrypt_pbkdf.c 2
src/md_crypto.c 20
src/external/blowfish.c 6
src/kex.c 19
src/token.c 7
src/server.c 4
src/config_parser.c 7
src/config.c 22
src/client.c 8
src/getrandom_crypto.c 1
src/packet.c 10
src/knownhosts.c 18
src/match.c 9
src/packet_crypt.c 1
src/dh.c 4
src/kdf.c 5
src/dh-gex.c 1
src/ecdh_crypto.c 4
src/curve25519.c 1
src/curve25519_crypto.c 1
src/sntrup761.c 3
src/external/sntrup761.c 24
src/hybrid_mlkem.c 1
src/mlkem_native.c 1
src/mlkem.c 1
src/external/libcrux_mlkem768_sha3.c 256
src/init.c 1
src/threads/pthread.c 2
src/threads.c 1
src/connect.c 4
include/libssh/session.h 1
src/pki_ed25519_common.c 1
src/connector.c 18
src/scp.c 22

Fuzzer: ssh_server_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1706 55.5%
gold [1:9] 26 0.84%
yellow [10:29] 18 0.58%
greenyellow [30:49] 32 1.04%
lawngreen 50+ 1288 41.9%
All colors 3070 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
257 1400 ssh_list_prepend call site: 01400 ssh_known_hosts_read_entries
182 1661 ssh_strict_fopen call site: 01661 ssh_send_kex
169 502 sha512_final call site: 00502 pki_openssh_import_privkey_blob
98 1301 ssh_packet_send call site: 01301 ssh_send_rekex
47 2995 libcrux_sha3_generic_keccak_portable_keccak1_ad call site: 02995 ssh_packet_send
38 1161 ssh_buffer_pack_va call site: 01161 _ssh_buffer_pack
32 852 ssh_bind_options_set call site: 00852 ssh_bind_set_algo
31 1055 pki_key_dup call site: 01055 ssh_key_free
29 808 ssh_find_all_matching call site: 00808 ssh_prefix_default_algos
26 467 ssh_pki_import_pubkey_blob call site: 00467 pki_private_key_decrypt
24 1868 packet_send2 call site: 01868 compress_buffer
23 244 ssh_pki_import_privkey_base64 call site: 00244 ssh_pki_openssh_privkey_import

Runtime coverage analysis

Covered functions
732
Functions that are reachable but not covered
324
Reachable functions
804
Percentage of reachable functions covered
59.7%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_server_fuzzer.c 2
tests/fuzz/nallocinc.c 11
src/bind.c 4
src/session.c 7
src/wrapper.c 10
src/socket.c 16
src/error.c 3
src/buffer.c 31
src/misc.c 38
src/agent.c 3
src/pki_context.c 3
src/channels.c 1
src/pcap.c 5
src/poll.c 21
src/log.c 12
src/pki.c 22
src/pki_crypto.c 18
src/string.c 11
src/dh_crypto.c 6
src/gzip.c 4
src/messages.c 1
src/auth.c 2
src/callbacks.c 2
src/options.c 9
src/pki_container_openssh.c 4
src/base64.c 4
src/bignum.c 3
src/libcrypto.c 7
src/external/bcrypt_pbkdf.c 2
src/md_crypto.c 20
src/external/blowfish.c 6
src/kex.c 19
src/token.c 7
src/server.c 4
src/client.c 3
src/getrandom_crypto.c 1
src/packet.c 10
src/knownhosts.c 11
src/config_parser.c 1
src/config.c 1
src/match.c 3
src/packet_crypt.c 1
src/dh.c 3
src/kdf.c 5
src/dh-gex.c 1
src/ecdh_crypto.c 4
src/curve25519.c 1
src/curve25519_crypto.c 1
src/sntrup761.c 3
src/external/sntrup761.c 24
src/hybrid_mlkem.c 1
src/mlkem_native.c 1
src/mlkem.c 1
src/external/libcrux_mlkem768_sha3.c 256

Fuzzer: ssh_client_fuzzer_nalloc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2911 66.6%
gold [1:9] 36 0.82%
yellow [10:29] 64 1.46%
greenyellow [30:49] 43 0.98%
lawngreen 50+ 1311 30.0%
All colors 4365 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
428 662 ssh_strict_fopen call site: 00662 ssh_config_parse
403 3301 ssh_pki_import_pubkey_blob call site: 03301 ssh_userauth_try_publickey
245 4000 ssh_signature_free call site: 04000 ssh_event_add_connector
239 3728 ssh_key_size_allowed_rsa call site: 03728 ssh_userauth_agent_publickey
116 1608 pki_import_cert_buffer call site: 01608 ssh_session_update_known_hosts
109 441 ssh_options_set call site: 00441 ssh_options_set
109 1862 pki_key_to_blob call site: 01862 ssh_userauth_publickey_auto
84 1202 ssh_connect call site: 01202 ssh_socket_connect_proxyjump
77 4272 ssh_disconnect call site: 04272 select_loop
76 3205 ssh_client_hybrid_mlkem_init call site: 03205 atomicio
52 2125 packet_send2 call site: 02125 ssh_pcap_context_write
48 1386 ssh_buffer_add_data call site: 01386 base64_to_bin

Runtime coverage analysis

Covered functions
603
Functions that are reachable but not covered
469
Reachable functions
995
Percentage of reachable functions covered
52.86%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/ssh_client_fuzzer.c 2
tests/fuzz/nallocinc.c 11
src/session.c 9
src/wrapper.c 10
src/socket.c 24
src/error.c 4
src/buffer.c 31
src/misc.c 40
src/agent.c 11
src/pki_context.c 3
src/channels.c 31
src/pcap.c 5
src/poll.c 26
src/log.c 13
src/pki.c 43
src/pki_crypto.c 22
src/string.c 12
src/dh_crypto.c 6
src/gzip.c 4
src/messages.c 1
src/auth.c 15
src/callbacks.c 6
src/options.c 6
src/config_parser.c 7
src/kex.c 19
src/token.c 7
src/config.c 22
src/client.c 7
src/init.c 1
src/threads/pthread.c 2
src/md_crypto.c 20
src/match.c 9
src/threads.c 1
src/connect.c 4
src/knownhosts.c 18
src/dh.c 4
src/base64.c 6
src/libcrypto.c 6
src/bignum.c 3
include/libssh/session.h 1
src/packet.c 10
src/getrandom_crypto.c 1
src/server.c 1
src/packet_crypt.c 1
src/kdf.c 5
src/dh-gex.c 1
src/ecdh_crypto.c 4
src/curve25519.c 1
src/curve25519_crypto.c 1
src/sntrup761.c 3
src/external/sntrup761.c 24
src/hybrid_mlkem.c 1
src/mlkem_native.c 1
src/mlkem.c 1
src/external/libcrux_mlkem768_sha3.c 256
src/pki_container_openssh.c 5
src/external/bcrypt_pbkdf.c 2
src/external/blowfish.c 6
src/pki_ed25519_common.c 1
src/connector.c 18

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
ssh_packet_client_hybrid_mlkem_reply /src/libssh/src/hybrid_mlkem.c 4 ['N/A', 'char', 'N/A', 'N/A'] 33 0 394 40 17 836 0 3729 402
ssh_packet_userauth_request /src/libssh/src/messages.c 4 ['N/A', 'char', 'N/A', 'N/A'] 39 0 898 187 54 739 0 3931 299
ssh_packet_socket_callback /src/libssh/src/packet.c 3 ['N/A', 'size_t', 'N/A'] 31 0 989 135 48 694 0 3512 198
ssh_server_connection_callback /src/libssh/src/server.c 1 ['N/A'] 33 0 491 85 25 704 0 3518 170
sftp_init /src/libssh/src/sftp.c 1 ['N/A'] 29 0 514 83 26 745 0 3733 169
ssh_channel_request_pty /src/libssh/src/channels.c 1 ['N/A'] 30 0 15 3 2 719 0 3623 163
process_readdir /src/libssh/src/sftpserver.c 1 ['N/A'] 26 0 236 34 13 728 0 3635 122
ssh_packet_server_sntrup761x25519_init /src/libssh/src/sntrup761.c 4 ['N/A', 'char', 'N/A', 'N/A'] 32 0 398 64 24 739 0 3716 121
ssh_packet_server_dhgex_request /src/libssh/src/dh-gex.c 4 ['N/A', 'char', 'N/A', 'N/A'] 22 0 284 51 18 688 0 3401 97
ssh_pki_export_privkey_file /src/libssh/src/pki.c 5 ['N/A', 'N/A', 'N/A', 'N/A', 'N/A'] 14 0 27 3 2 126 0 582 89

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
72.0%
1181 / 1644
Cyclomatic complexity statically reachable by fuzzers
73.0%
8418 / 11576

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

tests/fuzz/ssh_privkey_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['realloc', 'pki_private_key_from_base64', '_ssh_log', 'ssh_pki_import_privkey_base64', 'calloc', 'nalloc_fail']

tests/fuzz/ssh_sshsig_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['sshsig_verify', '_ssh_log', 'ssh_pki_import_pubkey_blob', 'pki_key_clean', 'ssh_buffer_unpack_va', 'pki_pubkey_build_rsa', 'pki_import_pubkey_buffer', 'pki_pubkey_build_ed25519']

tests/fuzz/ssh_client_config_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['realloc', 'calloc']

tests/fuzz/ssh_bind_config_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['realloc', 'calloc']

tests/fuzz/ssh_pubkey_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['pki_import_cert_buffer', 'pki_private_key_from_base64', 'pki_import_pubkey_buffer', '_ssh_log', 'ssh_pki_openssh_import', 'ssh_pki_import_pubkey_file', 'ssh_buffer_unpack_va', 'pki_pubkey_build_rsa']

tests/fuzz/ssh_known_hosts_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['_ssh_log', 'ssh_buffer_unpack_va', 'ssh_strict_fopen', 'ssh_key_cmp', 'hmac_init', 'pki_pubkey_build_rsa', 'pki_pubkey_build_ed25519']

tests/fuzz/ssh_sftp_attr_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['_ssh_log', 'ssh_free', 'ssh_socket_close', 'ssh_buffer_unpack_va', 'ssh_string_len', 'crypto_free', 'sftp_parse_attr_3']

tests/fuzz/ssh_scp_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_mutex_unlock', 'ssh_userauth_get_response', 'ssh_connect', 'ssh_options_set', 'ssh_scp_init', 'ssh_channel_send_eof', 'hmac_final', 'pki_import_privkey_buffer', 'pki_private_key_decrypt']

tests/fuzz/ssh_server_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_list_prepend', 'ssh_strict_fopen', 'sha512_final', 'ssh_packet_send', 'libcrux_sha3_generic_keccak_portable_keccak1_ad', 'ssh_buffer_pack_va', 'ssh_bind_options_set', 'pki_key_dup', 'ssh_find_all_matching', 'ssh_pki_import_pubkey_blob']

tests/fuzz/ssh_client_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_strict_fopen', 'ssh_pki_import_pubkey_blob', 'ssh_signature_free', 'ssh_key_size_allowed_rsa', 'pki_import_cert_buffer', 'ssh_options_set', 'pki_key_to_blob', 'ssh_connect', 'ssh_disconnect', 'ssh_client_hybrid_mlkem_init']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
ssh_dh_init 36 19 52.77% ['ssh_bind_config_fuzzer', 'ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_server_fuzzer', 'ssh_known_hosts_fuzzer_nalloc']
pki_private_key_from_base64 77 40 51.94% ['ssh_bind_config_fuzzer', 'ssh_privkey_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_server_fuzzer']
pki_pubkey_build_rsa 42 21 50.0% ['ssh_bind_config_fuzzer', 'ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_server_fuzzer', 'ssh_known_hosts_fuzzer_nalloc']
hmac_init 37 20 54.05% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_client_fuzzer_nalloc']
ssh_key_cmp 50 17 34.0% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_client_fuzzer_nalloc']
ssh_socket_close 31 15 48.38% ['ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_server_fuzzer']
ssh_userauth_get_response 42 13 30.95% ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_bind_accept_fd 127 46 36.22% ['ssh_scp_fuzzer', 'ssh_server_fuzzer']
ssh_channel_new 44 22 50.0% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
channel_default_bufferize 45 18 40.0% ['ssh_scp_fuzzer', 'ssh_server_fuzzer']
ssh_channel_free 38 14 36.84% ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_channel_read_timeout 64 28 43.75% ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
channel_write_common 121 48 39.66% ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
channel_request 83 43 51.80% ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_service_request 42 23 54.76% ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_connect 117 57 48.71% ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_config_parse_uri 111 43 38.73% ['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_server_fuzzer']
ssh_curve25519_init 50 25 50.0% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
libcrux_sha3_generic_keccak_portable_keccak1_96 31 15 48.38% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
sshkdf_derive_key 73 25 34.24% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_mac_ctx_init 35 19 54.28% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_client_select_hostkeys 70 27 38.57% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_send_kex 89 48 53.93% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_hashbufout_add_cookie 31 17 54.83% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_known_hosts_get_algorithms_names 71 25 35.21% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
evp_cipher_init 42 16 38.09% ['ssh_scp_fuzzer']
ssh_message_queue 35 18 51.42% ['ssh_scp_fuzzer', 'ssh_server_fuzzer']
ssh_execute_server_request 243 90 37.03% ['ssh_scp_fuzzer', 'ssh_server_fuzzer']
ssh_quote_file_name 92 34 36.95% ['ssh_scp_fuzzer']
ssh_path_expand_internal 179 44 24.58% ['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_server_fuzzer']
ssh_options_set 904 144 15.92% ['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_server_fuzzer']
ssh_options_apply 174 70 40.22% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_bind_options_set 361 110 30.47% ['ssh_bind_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_config_fuzzer']
pki_key_dup_common_init 43 15 34.88% ['ssh_pubkey_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_key_signature_to_char 33 16 48.48% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc']
ssh_pki_import_privkey_file 61 32 52.45% ['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_server_fuzzer']
pki_import_privkey_buffer 165 26 15.75% ['ssh_bind_config_fuzzer', 'ssh_privkey_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_server_fuzzer']
ssh_pki_export_signature_blob 54 26 48.14% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
pki_private_key_decrypt 103 16 15.53% ['ssh_bind_config_fuzzer', 'ssh_privkey_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_server_fuzzer']
pki_key_dup 221 89 40.27% ['ssh_pubkey_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
pki_key_to_blob 335 126 37.61% ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
ssh_scp_new 38 17 44.73% ['ssh_scp_fuzzer']
ssh_scp_init 100 40 40.0% ['ssh_scp_fuzzer']
ssh_get_key_params 44 23 52.27% ['ssh_scp_fuzzer', 'ssh_server_fuzzer']
ssh_retrieve_dhgroup 51 15 29.41% ['ssh_server_fuzzer']
ssh_msg_userauth_build_digest 53 28 52.83% ['ssh_server_fuzzer']
ssh_auth_reply_default 44 13 29.54% ['ssh_server_fuzzer']
revert_kex_callbacks 45 4 8.888% ['ssh_client_fuzzer_nalloc']
ssh_packet_pong 45 13 28.88% ['ssh_client_fuzzer_nalloc']
ssh_packet_client_sntrup761x25519_reply 64 27 42.18% ['ssh_client_fuzzer_nalloc']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/libssh/src/wrapper.c ['ssh_privkey_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/buffer.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sshsig_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/pki.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/misc.c ['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/channels.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/external/libcrux_mlkem768_sha3.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_client_config_fuzzer.c ['ssh_client_config_fuzzer'] ['ssh_client_config_fuzzer']
/src/libssh/src/error.c ['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/config.c ['ssh_client_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] []
/src/libssh/src/pki_context.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/ttyopts.c [] []
/src/libssh/src/dh.c ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/external/bcrypt_pbkdf.c ['ssh_privkey_fuzzer_nalloc', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] []
/src/libssh/src/log.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/include/libssh/session.h ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc'] []
/src/libssh/src/packet_crypt.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/client.c ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/pcap.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] []
/src/libssh/src/sftpserver.c [] []
/src/libssh/tests/fuzz/ssh_server_fuzzer.c ['ssh_server_fuzzer'] ['ssh_server_fuzzer']
/src/libssh/src/token.c ['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/ecdh_crypto.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/md_crypto.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/threads/pthread.c ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/callbacks.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/threads/libcrypto.c ['ssh_known_hosts_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc']
/src/libssh/src/bind_config.c ['ssh_bind_config_fuzzer'] []
/src/libssh/src/curve25519.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/getrandom_crypto.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/string.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sshsig_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/kdf.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_scp_fuzzer.c ['ssh_scp_fuzzer'] ['ssh_scp_fuzzer']
/src/libssh/src/server.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/connect.c ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc'] []
/src/libssh/src/poll.c ['ssh_client_config_fuzzer', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_client_config_fuzzer', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/kex.c ['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/dh_crypto.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/include/libssh/sftp_priv.h [] []
/src/libssh/src/packet.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/init.c ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/sntrup761.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_sshsig_fuzzer.c ['ssh_sshsig_fuzzer_nalloc'] ['ssh_sshsig_fuzzer_nalloc']
/src/libssh/src/gzip.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/crypto_common.c [] []
/src/libssh/src/pki_crypto.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/bignum.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sshsig_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/bind.c ['ssh_bind_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_server_fuzzer'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/hybrid_mlkem.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/dh-gex.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_known_hosts_fuzzer.c ['ssh_known_hosts_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc']
/src/libssh/src/mlkem.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/match.c ['ssh_client_config_fuzzer', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/config_parser.c ['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_pubkey_fuzzer.c ['ssh_pubkey_fuzzer_nalloc'] ['ssh_pubkey_fuzzer_nalloc']
/src/libssh/src/external/blowfish.c ['ssh_privkey_fuzzer_nalloc', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] []
/src/libssh/src/ecdh.c [] []
/src/libssh/src/agent.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/pki_ed25519_common.c ['ssh_sshsig_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer']
/src/libssh/src/session.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/knownhosts.c ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/connector.c ['ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc'] []
/src/libssh/tests/fuzz/nallocinc.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/packet_cb.c [] []
/src/libssh/src/messages.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/mlkem_native.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/socket.c ['ssh_client_config_fuzzer', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_client_config_fuzzer', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_sftp_attr_fuzzer.c ['ssh_sftp_attr_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc']
/src/libssh/src/sftp_common.c ['ssh_sftp_attr_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc']
/src/libssh/src/external/sntrup761.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/curve25519_crypto.c ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_privkey_fuzzer.c ['ssh_privkey_fuzzer_nalloc'] ['ssh_privkey_fuzzer_nalloc']
/src/libssh/src/threads.c ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/libcrypto.c ['ssh_privkey_fuzzer_nalloc', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_privkey_fuzzer_nalloc', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/pki_container_openssh.c ['ssh_privkey_fuzzer_nalloc', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_pubkey_fuzzer_nalloc', 'ssh_scp_fuzzer']
/src/libssh/src/sftp.c ['ssh_sftp_attr_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_client_fuzzer.c ['ssh_client_fuzzer_nalloc'] ['ssh_client_fuzzer_nalloc']
/src/libssh/tests/fuzz/ssh_bind_config_fuzzer.c ['ssh_bind_config_fuzzer'] ['ssh_bind_config_fuzzer']
/src/libssh/tests/fuzz/ssh_server_mock.c ['ssh_scp_fuzzer'] ['ssh_scp_fuzzer']
/src/libssh/src/options.c ['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']
/src/libssh/src/base64.c ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_privkey_fuzzer_nalloc', 'ssh_sshsig_fuzzer_nalloc', 'ssh_pubkey_fuzzer_nalloc', 'ssh_known_hosts_fuzzer_nalloc', 'ssh_scp_fuzzer']
/src/libssh/src/scp.c ['ssh_scp_fuzzer'] ['ssh_scp_fuzzer']
/src/libssh/src/auth.c ['ssh_client_config_fuzzer', 'ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc'] ['ssh_sftp_attr_fuzzer_nalloc', 'ssh_scp_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer_nalloc']

Directories in report

Directory
/src/libssh/tests/fuzz/
/src/libssh/src/external/
/src/libssh/src/
/src/libssh/include/libssh/
/src/libssh/src/threads/