High level conclusions

Fuzzers reach 83.13% of cyclomatic complexity.

Fuzzers reach 73.94% of all functions.

Fuzzer snmp_scoped_pdu_parse_fuzzer is blocked:

The runtime code coverage of snmp_scoped_pdu_parse_fuzzer covers 27.27% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_e2e_fuzzer is blocked:

The runtime code coverage of snmp_e2e_fuzzer covers 25.10% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_config_mem_fuzzer is blocked:

The runtime code coverage of snmp_config_mem_fuzzer covers 25.65% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_transport_fuzzer is blocked:

The runtime code coverage of snmp_transport_fuzzer covers 11.53% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer read_objid_fuzzer is blocked:

The runtime code coverage of read_objid_fuzzer covers 18.85% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_parse_fuzzer is blocked:

The runtime code coverage of snmp_parse_fuzzer covers 22.38% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_parse_oid_fuzzer is blocked:

The runtime code coverage of snmp_parse_oid_fuzzer covers 21.19% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_config_fuzzer is blocked:

The runtime code coverage of snmp_config_fuzzer covers 19.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

1589 / 2149

Cyclomatic complexity statically reachable by fuzzers

15796 / 19000

Runtime code coverage of functions

794 / 2149

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: snmp_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1200	93.0%
gold	[1:9]	8	0.62%
yellow	[10:29]	3	0.23%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	78	6.05%
All colors	1289	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1746	1746	2 : View List ['netsnmp_read_module', 'new_module']	1748	1748	read_mib	call site: 00071	/src/net-snmp/snmplib/parse.c:5040
1292	2412	7 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'stat', 'read_config', 'strncmp']	1292	2412	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1324
264	266	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', '__errno_location', 'strerror']	264	266	read_config	call site: 00000	/src/net-snmp/snmplib/read_config.c:770
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00054	/src/net-snmp/snmplib/snmp_logging.c:1098
2	128	3 : View List ['strchr', 'internal_register_config_handler', 'strlcpy']	2	128	internal_register_config_handler	call site: 00005	/src/net-snmp/snmplib/read_config.c:164
2	2	1 : View List ['__errno_location']	2	50	snmp_log_perror	call site: 00046	/src/net-snmp/snmplib/snmp_logging.c:1412
2	2	1 : View List ['strlen']	2	2	strlcat	call site: 00768	/src/net-snmp/snmplib/strlcat.c:53
0	5	1 : View List ['netsnmp_ds_get_string']	530	665	internal_register_config_handler	call site: 00003	/src/net-snmp/snmplib/read_config.c:156
0	0	None	1292	2412	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1267
0	0	None	1292	2412	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1296
0	0	None	1292	2412	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1316
0	0	None	1292	2412	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1321

Runtime coverage analysis

Covered functions

41

Functions that are reachable but not covered

164

Reachable functions

204

Percentage of reachable functions covered

19.61%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_config_fuzzer.c	1
snmplib/mib.c	39
snmplib/read_config.c	10
snmplib/default_store.c	9
snmplib/strlcpy.c	1
snmplib/snmp_debug.c	1
snmplib/parse.c	61
snmplib/snmp_logging.c	7
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/strlcat.c	1

Fuzzer: snmp_parse_oid_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1163	91.4%
gold	[1:9]	50	3.93%
yellow	[10:29]	4	0.31%
greenyellow	[30:49]	1	0.07%
lawngreen	50+	54	4.24%
All colors	1272	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'malloc']	260	343	netsnmp_set_mib_directory	call site: 01151	/src/net-snmp/snmplib/mib.c:2529
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00066	/src/net-snmp/snmplib/parse.c:1251
0	1865	1 : View List ['get_node']	0	1865	read_objid	call site: 01259	/src/net-snmp/snmplib/mib.c:3003
0	48	1 : View List ['snmp_log']	0	1704	read_module_replacements	call site: 01138	/src/net-snmp/snmplib/parse.c:3838
0	0	None	768	1076	netsnmp_get_mib_directory	call site: 01147	/src/net-snmp/snmplib/mib.c:2586
0	0	None	256	402	print_error	call site: 00453	/src/net-snmp/snmplib/parse.c:780
0	0	None	95	206	_add_strings_to_oid	call site: 01188	/src/net-snmp/snmplib/mib.c:5345
0	0	1 : View List ['free']	2	2	netsnmp_ds_set_string	call site: 01157	/src/net-snmp/snmplib/default_store.c:295
0	0	None	2	2	name_hash	call site: 00016	/src/net-snmp/snmplib/parse.c:690
0	0	None	0	1902	snmp_parse_oid	call site: 01247	/src/net-snmp/snmplib/mib.c:6073
0	0	None	0	1849	get_node	call site: 01244	/src/net-snmp/snmplib/mib.c:5727
0	0	None	0	50	find_best_tree_node	call site: 01253	/src/net-snmp/snmplib/parse.c:1361

Runtime coverage analysis

Covered functions

40

Functions that are reachable but not covered

145

Reachable functions

184

Percentage of reachable functions covered

21.2%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_parse_oid_fuzzer.c	1
snmplib/mib.c	50
snmplib/default_store.c	4
snmplib/snmp_debug.c	1
snmplib/parse.c	62
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/snmp_logging.c	7
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: snmp_mib_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	473	40.1%
gold	[1:9]	81	6.87%
yellow	[10:29]	27	2.29%
greenyellow	[30:49]	9	0.76%
lawngreen	50+	589	49.9%
All colors	1179	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'malloc']	260	343	netsnmp_set_mib_directory	call site: 01152	/src/net-snmp/snmplib/mib.c:2529
258	313	7 : View List ['free', 'netsnmp_ds_get_int', 'debugmsgtoken', 'strdup', 'snmp_get_do_debugging', 'snmp_log', 'debugmsg']	258	313	new_module	call site: 00085	/src/net-snmp/snmplib/parse.c:4253
72	72	1 : View List ['dump_module_list']	844	2883	do_linkup	call site: 00510	/src/net-snmp/snmplib/parse.c:1723
61	61	2 : View List ['__errno_location', 'snmp_log_perror']	61	61	read_module_internal	call site: 00495	/src/net-snmp/snmplib/parse.c:3920
57	57	1 : View List ['snmp_log_perror']	57	57	read_mib	call site: 00006	/src/net-snmp/snmplib/parse.c:5033
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00016	/src/net-snmp/snmplib/snmp_logging.c:1098
2	2	1 : View List ['strdup']	2	1611	parse_moduleIdentity	call site: 01063	/src/net-snmp/snmplib/parse.c:3550
2	2	1 : View List ['strlen']	2	2	strlcat	call site: 00734	/src/net-snmp/snmplib/strlcat.c:53
0	2240	4 : View List ['read_module_internal', 'eat_syntax', 'find_tree_node', 'which_module']	0	7087	parse_capabilities	call site: 00991	/src/net-snmp/snmplib/parse.c:3344
0	52	1 : View List ['free_node']	0	52	parse_trapDefinition	call site: 00861	/src/net-snmp/snmplib/parse.c:3017
0	48	1 : View List ['snmp_log']	0	1778	read_import_replacements	call site: 00000	/src/net-snmp/snmplib/parse.c:3874
0	48	1 : View List ['snmp_log']	0	1704	read_module_replacements	call site: 01139	/src/net-snmp/snmplib/parse.c:3838

Runtime coverage analysis

Covered functions

79

Functions that are reachable but not covered

87

Reachable functions

165

Percentage of reachable functions covered

47.27%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_mib_fuzzer.c	1
snmplib/parse.c	61
snmplib/snmp_logging.c	7
snmplib/default_store.c	4
snmplib/snmp_debug.c	1
snmplib/mib.c	34
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/strlcpy.c	1
snmplib/strlcat.c	1

Fuzzer: snmp_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	713	74.1%
gold	[1:9]	14	1.45%
yellow	[10:29]	20	2.07%
greenyellow	[30:49]	8	0.83%
lawngreen	50+	207	21.5%
All colors	962	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
204	204	1 : View List ['snmp_parse_version']	5678	8690	_snmp_parse	call site: 00337	/src/net-snmp/snmplib/snmp_api.c:4294
19	163	3 : View List ['se_find_label_in_slist', 'snmp_log', 'strcmp']	19	163	register_sec_mod	call site: 00000	/src/net-snmp/snmplib/snmp_secmod.c:92
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00068	/src/net-snmp/snmplib/snmp_logging.c:1098
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_int	call site: 00031	/src/net-snmp/snmplib/asn1.c:581
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int	call site: 00179	/src/net-snmp/snmplib/asn1.c:670
0	13	1 : View List ['_asn_type_err']	0	13	asn_parse_bitstring	call site: 00290	/src/net-snmp/snmplib/asn1.c:1848
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_bitstring	call site: 00292	/src/net-snmp/snmplib/asn1.c:1854
0	13	1 : View List ['_asn_length_err']	0	13	asn_parse_bitstring	call site: 00293	/src/net-snmp/snmplib/asn1.c:1859
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int64	call site: 00216	/src/net-snmp/snmplib/asn1.c:1969
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_unsigned_int64	call site: 00225	/src/net-snmp/snmplib/asn1.c:2025
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_signed_int64	call site: 00264	/src/net-snmp/snmplib/asn1.c:2240
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_signed_int64	call site: 00272	/src/net-snmp/snmplib/asn1.c:2282

Runtime coverage analysis

Covered functions

51

Functions that are reachable but not covered

163

Reachable functions

210

Percentage of reachable functions covered

22.38%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_parse_fuzzer.c	1
snmplib/snmp_api.c	38
snmplib/snmp_debug.c	4
snmplib/asn1.c	50
snmplib/strlcpy.c	1
snmplib/snmp_logging.c	6
snmplib/default_store.c	3
snmplib/mib.c	1
snmplib/tools.c	3
snmplib/snmp_secmod.c	1
snmplib/snmp.c	4
snmplib/snmp_client.c	10
snmplib/int64.c	5
snmplib/snmp_auth.c	1
snmplib/callback.c	4
snmplib/snmpv3.c	2
snmplib/snmp_enum.c	3
snmplib/snmp_transport.c	2

Fuzzer: read_objid_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1156	92.7%
gold	[1:9]	50	4.01%
yellow	[10:29]	2	0.16%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	38	3.04%
All colors	1246	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'malloc']	260	343	netsnmp_set_mib_directory	call site: 01143	/src/net-snmp/snmplib/mib.c:2529
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00059	/src/net-snmp/snmplib/parse.c:1251
0	48	1 : View List ['snmp_log']	0	1704	read_module_replacements	call site: 01130	/src/net-snmp/snmplib/parse.c:3838
0	0	None	768	1076	netsnmp_get_mib_directory	call site: 01139	/src/net-snmp/snmplib/mib.c:2586
0	0	None	256	402	print_error	call site: 00446	/src/net-snmp/snmplib/parse.c:780
0	0	None	95	206	_add_strings_to_oid	call site: 01180	/src/net-snmp/snmplib/mib.c:5345
0	0	1 : View List ['free']	2	2	netsnmp_ds_set_string	call site: 01149	/src/net-snmp/snmplib/default_store.c:295
0	0	None	2	2	name_hash	call site: 00009	/src/net-snmp/snmplib/parse.c:690
0	0	None	0	3698	get_node	call site: 00003	/src/net-snmp/snmplib/mib.c:5715
0	0	None	0	1849	get_node	call site: 01236	/src/net-snmp/snmplib/mib.c:5727
0	0	None	0	41	snmp_vlog	call site: 00290	/src/net-snmp/snmplib/snmp_logging.c:1376
0	0	None	0	28	snmp_log_string	call site: 00291	/src/net-snmp/snmplib/snmp_logging.c:1297

Runtime coverage analysis

Covered functions

34

Functions that are reachable but not covered

142

Reachable functions

175

Percentage of reachable functions covered

18.86%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/read_objid_fuzzer.c	1
snmplib/mib.c	46
snmplib/parse.c	60
snmplib/snmp_debug.c	1
snmplib/default_store.c	4
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/snmp_logging.c	7
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: snmp_transport_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1974	87.5%
gold	[1:9]	48	2.12%
yellow	[10:29]	25	1.10%
greenyellow	[30:49]	5	0.22%
lawngreen	50+	204	9.04%
All colors	2256	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
514	518	4 : View List ['snmp_get_do_debugging', 'freeaddrinfo', 'debugmsgtoken', 'debugmsg']	514	518	netsnmp_resolve_v6_hostname	call site: 01490	/src/net-snmp/snmplib/transports/snmpIPv6BaseDomain.c:200
256	258	3 : View List ['snmp_get_do_debugging', 'debugmsgtoken', 'debugmsg']	256	258	netsnmp_gethostbyname_v4	call site: 01149	/src/net-snmp/snmplib/system.c:790
96	96	1 : View List ['snmp_log']	96	96	_callback_lock	call site: 00170	/src/net-snmp/snmplib/callback.c:138
87	87	4 : View List ['ntohs', 'netsnmp_gethostbyaddr', 'netsnmp_if_indextoname', 'inet_ntop']	89	89	netsnmp_ipv6_fmtaddr	call site: 01504	/src/net-snmp/snmplib/transports/snmpIPv6BaseDomain.c:137
60	60	2 : View List ['CONTAINER_FREE', 'CONTAINER_CLEAR']	60	60	netsnmp_transport_filter_cleanup	call site: 02252	/src/net-snmp/snmplib/snmp_transport.c:367
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00050	/src/net-snmp/snmplib/snmp_logging.c:1098
4	294	5 : View List ['endnetgrent', 'getnetgrent', 'netsnmp_udp_resolve_source', 'netsnmp_udp_com2SecEntry_check_return_code', 'netsnmp_udp_com2SecEntry_create']	4	350	netsnmp_parse_source_as_netgroup	call site: 02206	/src/net-snmp/snmplib/transports/snmpUDPDomain.c:391
2	128	3 : View List ['strchr', 'internal_register_config_handler', 'strlcpy']	2	128	internal_register_config_handler	call site: 00014	/src/net-snmp/snmplib/read_config.c:164
0	56	1 : View List ['config_perror']	0	56	create_com2Sec6Entry	call site: 02170	/src/net-snmp/snmplib/transports/snmpUDPIPv6Domain.c:554
0	0	None	834	1049	netsnmp_sockaddr_in6_3	call site: 01478	/src/net-snmp/snmplib/transports/snmpIPv6BaseDomain.c:273
0	0	None	595	609	netsnmp_getaddrinfo	call site: 01150	/src/net-snmp/snmplib/system.c:853
0	0	None	532	544	netsnmp_getaddrinfo	call site: 01152	/src/net-snmp/snmplib/system.c:858

Runtime coverage analysis

Covered functions

71

Functions that are reachable but not covered

537

Reachable functions

607

Percentage of reachable functions covered

11.53%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_transport_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	4
snmplib/default_store.c	9
snmplib/snmp_debug.c	1
snmplib/snmp_transport.c	28
snmplib/read_config.c	22
snmplib/strlcpy.c	1
snmplib/snmp_logging.c	7
snmplib/container.c	14
snmplib/snmp_api.c	4
snmplib/transports/snmpTLSBaseDomain.c	20
snmplib/snmp_openssl.c	15
snmplib/callback.c	5
snmplib/cert_util.c	56
snmplib/tools.c	5
snmplib/system.c	5
snmplib/snmp_enum.c	7
snmplib/dir_utils.c	3
snmplib/file_utils.c	5
snmplib/data_list.c	5
snmplib/transports/snmpTLSTCPDomain.c	14
snmplib/transports/snmpIPv4BaseDomain.c	4
/usr/include/openssl/x509.h	2
/usr/include/openssl/x509v3.h	2
snmplib/transports/snmpSocketBaseDomain.c	6
snmplib/transports/snmpDTLSUDPDomain.c	25
snmplib/transports/snmpIPBaseDomain.c	3
snmplib/transports/snmpUDPDomain.c	13
snmplib/transports/snmpUDPIPv4BaseDomain.c	7
snmplib/sd-daemon.c	6
snmplib/transports/snmpUDPBaseDomain.c	1
snmplib/transports/snmpIPv6BaseDomain.c	9
snmplib/transports/snmpUDPIPv6Domain.c	16
snmplib/transports/snmpUDPsharedDomain.c	16
snmplib/transports/snmpSTDDomain.c	10
snmplib/transports/snmpIPXDomain.c	11
snmplib/transports/snmpAAL5PVCDomain.c	10
snmplib/transports/snmpTCPIPv6Domain.c	6
snmplib/transports/snmpTCPDomain.c	6
snmplib/transports/snmpAliasDomain.c	4
snmplib/strlcat.c	1
snmplib/snmp_service.c	2
snmplib/transports/snmpUnixDomain.c	11

Fuzzer: snmp_pdu_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	67	28.1%
gold	[1:9]	4	1.68%
yellow	[10:29]	26	10.9%
greenyellow	[30:49]	13	5.46%
lawngreen	50+	128	53.7%
All colors	238	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00104	/src/net-snmp/snmplib/snmp_logging.c:1098
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_int	call site: 00064	/src/net-snmp/snmplib/asn1.c:581
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int	call site: 00078	/src/net-snmp/snmplib/asn1.c:670
0	13	1 : View List ['_asn_type_err']	0	13	asn_parse_bitstring	call site: 00209	/src/net-snmp/snmplib/asn1.c:1848
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_bitstring	call site: 00211	/src/net-snmp/snmplib/asn1.c:1854
0	13	1 : View List ['_asn_length_err']	0	13	asn_parse_bitstring	call site: 00212	/src/net-snmp/snmplib/asn1.c:1859
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int64	call site: 00135	/src/net-snmp/snmplib/asn1.c:1969
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_unsigned_int64	call site: 00144	/src/net-snmp/snmplib/asn1.c:2025
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_signed_int64	call site: 00183	/src/net-snmp/snmplib/asn1.c:2240
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_signed_int64	call site: 00191	/src/net-snmp/snmplib/asn1.c:2282
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_float	call site: 00162	/src/net-snmp/snmplib/asn1.c:2496
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_double	call site: 00176	/src/net-snmp/snmplib/asn1.c:2686

Runtime coverage analysis

Covered functions

41

Functions that are reachable but not covered

75

Reachable functions

115

Percentage of reachable functions covered

34.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_pdu_parse_fuzzer.c	1
snmplib/snmp_api.c	10
snmplib/asn1.c	18
snmplib/strlcpy.c	1
snmplib/snmp_debug.c	1
snmplib/tools.c	2
snmplib/mib.c	1
snmplib/snmp_logging.c	6
snmplib/default_store.c	1
snmplib/snmp.c	1
snmplib/snmp_client.c	1
snmplib/int64.c	5
snmplib/snmp_secmod.c	1

Fuzzer: parse_octet_hint_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	75.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	7	21.8%
lawngreen	50+	1	3.12%
All colors	32	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	1 : View List ['free']	0	0	parse_octet_hint	call site: 00031	/src/net-snmp/snmplib/mib.c:6323

Runtime coverage analysis

Covered functions

5

Functions that are reachable but not covered

9

Reachable functions

13

Percentage of reachable functions covered

30.77%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/parse_octet_hint_fuzzer.c	1
snmplib/mib.c	6

Fuzzer: snmp_print_var_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1011	76.7%
gold	[1:9]	85	6.45%
yellow	[10:29]	39	2.96%
greenyellow	[30:49]	26	1.97%
lawngreen	50+	156	11.8%
All colors	1317	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1660	1660	3 : View List ['strtok_r', 'free', 'read_mib']	2440	2450	netsnmp_init_mib	call site: 00000	/src/net-snmp/snmplib/mib.c:2790
260	262	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'malloc']	260	343	netsnmp_set_mib_directory	call site: 01165	/src/net-snmp/snmplib/mib.c:2530
197	197	3 : View List ['free', 'strrchr', 'add_mibfile']	197	197	add_mibdir	call site: 00000	/src/net-snmp/snmplib/parse.c:5005
195	195	1 : View List ['add_mibfile']	6504	9838	netsnmp_init_mib	call site: 00000	/src/net-snmp/snmplib/mib.c:2697
15	15	1 : View List ['printI64']	15	96	sprint_realloc_counter64	call site: 00293	/src/net-snmp/snmplib/mib.c:959
12	23	3 : View List ['strlen', 'sprint_char', 'snmp_realloc']	12	23	_sprint_hexstring_line	call site: 00137	/src/net-snmp/snmplib/mib.c:328
2	829	3 : View List ['memchr', 'snmp_realloc', 'sprint_realloc_octet_string']	2	1114	sprint_realloc_octet_string	call site: 00061	/src/net-snmp/snmplib/mib.c:475
2	2	1 : View List ['strlen']	2	29	sprint_realloc_hinted_integer	call site: 00329	/src/net-snmp/snmplib/mib.c:1298
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00080	/src/net-snmp/snmplib/parse.c:1251
2	2	1 : View List ['strlen']	2	2	strlcat	call site: 00747	/src/net-snmp/snmplib/strlcat.c:53
0	706	2 : View List ['sprint_realloc_by_type', 'netsnmp_ds_get_boolean']	0	733	sprint_realloc_null	call site: 00245	/src/net-snmp/snmplib/mib.c:1772
0	701	1 : View List ['sprint_realloc_by_type']	0	733	sprint_realloc_octet_string	call site: 00058	/src/net-snmp/snmplib/mib.c:462

Runtime coverage analysis

Covered functions

82

Functions that are reachable but not covered

109

Reachable functions

185

Percentage of reachable functions covered

41.08%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_print_var_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	4
snmplib/default_store.c	5
snmplib/snmp_debug.c	1
snmplib/mib.c	51
snmplib/parse.c	60
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/snmp_logging.c	7
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: snmp_config_mem_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1163	89.7%
gold	[1:9]	51	3.93%
yellow	[10:29]	5	0.38%
greenyellow	[30:49]	6	0.46%
lawngreen	50+	71	5.47%
All colors	1296	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'malloc']	260	343	netsnmp_set_mib_directory	call site: 01178	/src/net-snmp/snmplib/mib.c:2529
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00027	/src/net-snmp/snmplib/snmp_logging.c:1098
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00110	/src/net-snmp/snmplib/parse.c:1251
0	48	1 : View List ['snmp_log']	0	1704	read_module_replacements	call site: 01165	/src/net-snmp/snmplib/parse.c:3838
0	0	None	768	1076	netsnmp_get_mib_directory	call site: 01174	/src/net-snmp/snmplib/mib.c:2586
0	0	None	264	2684	read_config_read_memory	call site: 00001	/src/net-snmp/snmplib/read_config.c:2244
0	0	1 : View List ['malloc']	258	2265	read_config_read_objid_const	call site: 00050	/src/net-snmp/snmplib/read_config.c:2123
0	0	None	258	269	copy_nword_const	call site: 00003	/src/net-snmp/snmplib/read_config.c:1833
0	0	None	256	402	print_error	call site: 00480	/src/net-snmp/snmplib/parse.c:780
0	0	None	95	206	_add_strings_to_oid	call site: 01215	/src/net-snmp/snmplib/mib.c:5345
0	0	1 : View List ['malloc']	2	103	read_config_read_octet_string_const	call site: 00044	/src/net-snmp/snmplib/read_config.c:2063
0	0	1 : View List ['malloc']	2	11	read_config_read_octet_string_const	call site: 00038	/src/net-snmp/snmplib/read_config.c:2015

Runtime coverage analysis

Covered functions

50

Functions that are reachable but not covered

142

Reachable functions

191

Percentage of reachable functions covered

25.65%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_config_mem_fuzzer.c	1
snmplib/read_config.c	11
snmplib/snmp_debug.c	1
snmplib/snmp_logging.c	7
snmplib/default_store.c	4
snmplib/mib.c	46
snmplib/parse.c	60
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	9
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: snmp_e2e_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	4957	82.7%
gold	[1:9]	658	10.9%
yellow	[10:29]	68	1.13%
greenyellow	[30:49]	26	0.43%
lawngreen	50+	283	4.72%
All colors	5992	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4371	4371	1 : View List ['_sess_read_accept']	4371	4371	_sess_read	call site: 04653	/src/net-snmp/snmplib/snmp_api.c:6137
1660	1660	3 : View List ['strtok_r', 'free', 'read_mib']	1672	2450	netsnmp_init_mib	call site: 05792	/src/net-snmp/snmplib/mib.c:2790
1413	1413	6 : View List ['netsnmp_directory_container_read_some', '_certindex_new', '_add_certfile', '_cert_read_index', 'fclose', 'netsnmp_directory_container_free']	1413	2581	_add_certdir	call site: 00591	/src/net-snmp/snmplib/cert_util.c:1639
1079	2157	23 : View List ['free', 'run_config_handler', 'realloc', 'netsnmp_ds_get_boolean', 'strcmp', 'strncasecmp', 'strlen', 'closedir', 'fclose', 'strlcat', 'fgets', 'opendir', 'netsnmp_config_warn', 'read_config', 'read_config_files_of_type', 'read_config_get_handlers', 'netsnmp_config_error', 'skip_white', 'strlcpy', 'strrchr', 'strcasecmp', 'copy_nword', 'readdir']	1079	3189	read_config	call site: 02295	/src/net-snmp/snmplib/read_config.c:762
268	784	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'snmp_sess_close', 'snmpv3_engineID_probe', 'debugmsg']	268	784	snmp_sess_add_ex	call site: 04721	/src/net-snmp/snmplib/snmp_api.c:1857
204	204	1 : View List ['snmp_parse_version']	3565	8690	_snmp_parse	call site: 04762	/src/net-snmp/snmplib/snmp_api.c:4294
199	212	4 : View List ['generate_Ku', 'snmp_duplicate_objid', 'get_default_privtype', 'snmp_perror']	205	486	netsnmp_parse_args	call site: 05966	/src/net-snmp/snmplib/snmp_parse_args.c:593
197	197	3 : View List ['free', 'strrchr', 'add_mibfile']	197	197	add_mibdir	call site: 00000	/src/net-snmp/snmplib/parse.c:5005
195	195	1 : View List ['add_mibfile']	5224	9838	netsnmp_init_mib	call site: 05771	/src/net-snmp/snmplib/mib.c:2697
182	182	1 : View List ['snmp_sess_close']	182	182	snmp_close	call site: 04610	/src/net-snmp/snmplib/snmp_api.c:2056
182	182	1 : View List ['snmp_sess_close']	182	182	_sess_copy	call site: 04717	/src/net-snmp/snmplib/snmp_api.c:1299
118	118	1 : View List ['netsnmp_transport_free']	118	118	snmp_sess_add_ex	call site: 04676	/src/net-snmp/snmplib/snmp_api.c:1828

Runtime coverage analysis

Covered functions

311

Functions that are reachable but not covered

904

Reachable functions

1207

Percentage of reachable functions covered

25.1%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_e2e_fuzzer.c	4
snmplib/snmp_parse_args.c	3
snmplib/snmp_api.c	83
snmplib/parse.c	62
snmplib/snmp_debug.c	10
snmplib/mib.c	43
snmplib/default_store.c	11
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	9
snmplib/int64.c	5
snmplib/snmp_logging.c	27
snmplib/snmp_transport.c	30
snmplib/transports/snmpTLSBaseDomain.c	20
snmplib/snmp_openssl.c	15
snmplib/read_config.c	45
snmplib/strlcpy.c	1
snmplib/callback.c	7
snmplib/cert_util.c	59
snmplib/system.c	7
snmplib/snmp_enum.c	14
snmplib/dir_utils.c	3
snmplib/container.c	22
snmplib/file_utils.c	5
snmplib/data_list.c	5
snmplib/transports/snmpTLSTCPDomain.c	14
snmplib/transports/snmpIPv4BaseDomain.c	4
/usr/include/openssl/x509.h	2
/usr/include/openssl/x509v3.h	2
snmplib/transports/snmpSocketBaseDomain.c	6
snmplib/transports/snmpDTLSUDPDomain.c	25
snmplib/transports/snmpIPBaseDomain.c	3
snmplib/transports/snmpUDPDomain.c	8
snmplib/transports/snmpUDPIPv4BaseDomain.c	7
snmplib/sd-daemon.c	6
snmplib/transports/snmpUDPBaseDomain.c	1
snmplib/transports/snmpIPv6BaseDomain.c	7
snmplib/transports/snmpUDPIPv6Domain.c	14
snmplib/transports/snmpUDPsharedDomain.c	16
snmplib/transports/snmpSTDDomain.c	10
snmplib/transports/snmpIPXDomain.c	11
snmplib/transports/snmpAAL5PVCDomain.c	10
snmplib/transports/snmpTCPIPv6Domain.c	6
snmplib/transports/snmpTCPDomain.c	6
snmplib/transports/snmpAliasDomain.c	4
snmplib/strlcat.c	1
snmplib/snmp_service.c	10
snmplib/transports/snmpUnixDomain.c	10
snmplib/snmp_version.c	1
snmplib/container_binary_array.c	31
snmplib/container_list_ssll.c	1
snmplib/container_null.c	2
snmplib/snmpv3.c	24
snmplib/lcd_time.c	6
snmplib/scapi.c	20
snmplib/snmp_secmod.c	4
snmplib/snmpusm.c	56
snmplib/asn1.c	51
snmplib/keytools.c	5
snmplib/snmp_client.c	15
snmplib/snmp.c	4
snmplib/large_fd_set.c	10
snmplib/snmp_alarm.c	11
snmplib/snmp_auth.c	1
snmplib/snmptsm.c	7
snmplib/snmpksm.c	12
snmplib/vacm.c	1

Fuzzer: snmp_scoped_pdu_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	53	61.6%
gold	[1:9]	7	8.13%
yellow	[10:29]	2	2.32%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	24	27.9%
All colors	86	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
617	855	10 : View List ['asn_parse_string', 'debugmsgtoken', 'asn_parse_header', 'snmp_get_do_debugging', 'strdup', 'debug_indent_add', 'debug_is_token_registered', 'debugmsg', 'debug_indent_get', 'netsnmp_memdup']	617	873	snmpv3_scopedPDU_parse	call site: 00050	/src/net-snmp/snmplib/snmp_api.c:4913
0	0	None	96	99	free_securityStateRef	call site: 00061	/src/net-snmp/snmplib/snmp_api.c:4046
0	0	None	0	106	asn_parse_header	call site: 00004	/src/net-snmp/snmplib/asn1.c:1082
0	0	None	0	74	snmp_free_pdu	call site: 00060	/src/net-snmp/snmplib/snmp_api.c:5517
0	0	None	0	27	asn_parse_length	call site: 00013	/src/net-snmp/snmplib/asn1.c:1307
0	0	None	0	15	snmp_free_pdu	call site: 00082	/src/net-snmp/snmplib/snmp_api.c:5523
0	0	None	0	0	asn_parse_nlength	call site: 00012	/src/net-snmp/snmplib/asn1.c:330
0	0	None	0	0	asn_parse_nlength	call site: 00012	/src/net-snmp/snmplib/asn1.c:333
0	0	None	0	0	asn_parse_length	call site: 00014	/src/net-snmp/snmplib/asn1.c:1313
0	0	None	0	0	strlcpy	call site: 00007	/src/net-snmp/snmplib/strlcpy.c:30
0	0	None	0	0	strlcpy	call site: 00007	/src/net-snmp/snmplib/strlcpy.c:34

Runtime coverage analysis

Covered functions

16

Functions that are reachable but not covered

40

Reachable functions

55

Percentage of reachable functions covered

27.27%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_scoped_pdu_parse_fuzzer.c	1
snmplib/snmp_api.c	7
snmplib/asn1.c	8
snmplib/strlcpy.c	1
snmplib/snmp_debug.c	1
snmplib/mib.c	1
snmplib/tools.c	2
snmplib/snmp_secmod.c	1
snmplib/snmp_logging.c	6
snmplib/default_store.c	1

Fuzzer: agentx_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	123	26.3%
gold	[1:9]	4	0.85%
yellow	[10:29]	15	3.21%
greenyellow	[30:49]	29	6.22%
lawngreen	50+	295	63.3%
All colors	466	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
192	192	1 : View List ['snmp_log']	192	192	snmp_set_var_value	call site: 00103	/src/net-snmp/snmplib/snmp_client.c:842
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00124	/src/net-snmp/snmplib/snmp_client.c:920
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00126	/src/net-snmp/snmplib/snmp_client.c:940
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00127	/src/net-snmp/snmplib/snmp_client.c:966
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00128	/src/net-snmp/snmplib/snmp_client.c:977
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00129	/src/net-snmp/snmplib/snmp_client.c:987
0	12	1 : View List ['snmp_free_var']	0	12	snmp_varlist_add_variable	call site: 00102	/src/net-snmp/snmplib/snmp_api.c:7247
0	0	None	11990	22361	_agentx_realloc_build	call site: 00213	/src/net-snmp/agent/mibgroup/agentx/protocol.c:705
0	0	None	6626	15672	agentx_parse	call site: 00003	/src/net-snmp/agent/mibgroup/agentx/protocol.c:1588
0	0	None	3900	8706	agentx_realloc_build_varbind	call site: 00367	/src/net-snmp/agent/mibgroup/agentx/protocol.c:392
0	0	None	3900	8706	agentx_realloc_build_varbind	call site: 00370	/src/net-snmp/agent/mibgroup/agentx/protocol.c:402
0	0	None	3399	7091	agentx_realloc_build_varbind	call site: 00380	/src/net-snmp/agent/mibgroup/agentx/protocol.c:434

Runtime coverage analysis

Covered functions

39

Functions that are reachable but not covered

84

Reachable functions

122

Percentage of reachable functions covered

31.15%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/agentx_parse_fuzzer.c	1
agent/mibgroup/agentx/protocol.c	22
snmplib/snmp_debug.c	2
snmplib/mib.c	1
snmplib/tools.c	1
snmplib/snmp_client.c	4
snmplib/snmp_api.c	8
snmplib/snmp_logging.c	6
snmplib/default_store.c	1
snmplib/strlcpy.c	1
snmplib/snmp_secmod.c	1

Fuzzer: snmp_api_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1567	63.5%
gold	[1:9]	100	4.05%
yellow	[10:29]	59	2.39%
greenyellow	[30:49]	32	1.29%
lawngreen	50+	707	28.6%
All colors	2465	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4208	8107	17 : View List ['snmp_pdu_realloc_rbuild', 'free', 'debug_is_token_registered', 'asn_realloc_rbuild_sequence', 'debugmsg', 'asn_build_string', 'asn_realloc_rbuild_int', 'netsnmp_memdup', 'debugmsgtoken', 'asn_realloc_rbuild_string', 'snmp_get_do_debugging', 'snmp_pdu_build', 'debug_indent_add', 'asn_build_sequence', 'snmp_pdu_type', 'debug_indent_get', 'asn_build_int']	4208	8107	_snmp_build	call site: 02364	/src/net-snmp/snmplib/snmp_api.c:2950
3038	3407	11 : View List ['debugmsgtoken', 'snmp_free_varbind', 'snmp_get_do_debugging', 'snmp_log', 'snmp_clone_pdu', 'snmpv3_get_engineID', 'snmp_free_pdu', 'debugmsg', 'snmp_sess_send', 'snmp_pdu_add_variable', 'snmp_oid_compare']	3038	3407	_snmp_parse	call site: 02044	/src/net-snmp/snmplib/snmp_api.c:4438
260	262	5 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'malloc']	260	343	netsnmp_set_mib_directory	call site: 01374	/src/net-snmp/snmplib/mib.c:2529
256	273	4 : View List ['snmp_get_do_debugging', 'debugmsgtoken', 'snmp_free_varbind', 'debugmsg']	256	301	snmp_pdu_build	call site: 01689	/src/net-snmp/snmplib/snmp_api.c:3420
105	105	1 : View List ['snmp_call_callbacks']	3143	3576	_snmp_parse	call site: 02028	/src/net-snmp/snmplib/snmp_api.c:4385
19	163	3 : View List ['se_find_label_in_slist', 'snmp_log', 'strcmp']	19	163	register_sec_mod	call site: 00000	/src/net-snmp/snmplib/snmp_secmod.c:92
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00111	/src/net-snmp/snmplib/snmp_logging.c:1098
6	139	5 : View List ['strtok_r', 'strcmp', 'snmp_realloc', 'strtoul', 'snmp_pdu_add_variable']	6	175	snmp_add_var	call site: 01516	/src/net-snmp/snmplib/snmp_api.c:7612
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00312	/src/net-snmp/snmplib/parse.c:1251
0	1865	1 : View List ['get_node']	0	1865	read_objid	call site: 01481	/src/net-snmp/snmplib/mib.c:3003
0	1167	3 : View List ['asn_realloc_rbuild_string', 'asn_realloc_rbuild_objid', 'asn_realloc_rbuild_unsigned_int']	2505	4725	snmp_pdu_realloc_rbuild	call site: 02265	/src/net-snmp/snmplib/snmp_api.c:3548
0	96	1 : View List ['store_byte']	1221	1460	asn_realloc_rbuild_objid	call site: 02197	/src/net-snmp/snmplib/asn1.c:3308

Runtime coverage analysis

Covered functions

161

Functions that are reachable but not covered

192

Reachable functions

349

Percentage of reachable functions covered

44.99%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_api_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	7
agent/mibgroup/agentx/protocol.c	11
snmplib/snmp_debug.c	5
snmplib/mib.c	50
snmplib/tools.c	7
snmplib/snmp_client.c	11
snmplib/snmp_api.c	43
snmplib/snmp_logging.c	7
snmplib/default_store.c	5
snmplib/strlcpy.c	1
snmplib/int64.c	9
snmplib/parse.c	62
snmplib/../include/net-snmp/library/tools.h	1
snmplib/strlcat.c	1
snmplib/asn1.c	50
snmplib/snmp.c	4
snmplib/snmp_secmod.c	1
snmplib/snmp_auth.c	1
snmplib/callback.c	4
snmplib/snmpv3.c	3
snmplib/snmp_enum.c	3
snmplib/snmp_transport.c	2

Fuzzer: snmp_agent_e2e_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	6749	75.6%
gold	[1:9]	167	1.87%
yellow	[10:29]	92	1.03%
greenyellow	[30:49]	41	0.45%
lawngreen	50+	1867	20.9%
All colors	8916	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
10603	10603	1 : View List ['real_init_master']	10826	11098	init_master_agent	call site: 08580	/src/net-snmp/agent/snmp_agent.c:1525
9170	9170	1 : View List ['subagent_init']	9170	23011	init_agent	call site: 08229	/src/net-snmp/agent/snmp_vars.c:311
4878	5027	11 : View List ['free', 'debugmsgtoken', 'netsnmp_max_send_msg_size', 'snmp_get_do_debugging', 'snmp_log', 'count_varbinds', 'snmpv3_engineID_probe', 'debugmsg', 'netsnmp_ds_get_boolean', 'malloc', 'netsnmp_build_packet']	4878	5027	_build_initial_pdu_packet	call site: 04558	/src/net-snmp/snmplib/snmp_api.c:5007
4023	4025	6 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'get_wild_node', 'get_node', 'clear_tree_flags', 'debugmsg']	4023	4025	snmp_parse_oid	call site: 06961	/src/net-snmp/snmplib/mib.c:6080
2276	4776	6 : View List ['netsnmp_remove_and_free_agent_snmp_session', 'snmp_increment_statistic', 'snmp_call_callbacks', 'snmp_send', 'snmp_free_pdu', 'send_easy_trap']	2276	4776	handle_snmp_packet	call site: 06589	/src/net-snmp/agent/snmp_agent.c:2240
1865	1865	1 : View List ['get_node']	1865	1865	read_objid	call site: 06961	/src/net-snmp/snmplib/mib.c:3003
1860	1860	1 : View List ['_sess_async_send']	1860	1860	snmp_sess_async_send	call site: 04556	/src/net-snmp/snmplib/snmp_api.c:5454
1660	1660	3 : View List ['strtok_r', 'free', 'read_mib']	2440	2450	netsnmp_init_mib	call site: 06111	/src/net-snmp/snmplib/mib.c:2790
1413	1413	6 : View List ['netsnmp_directory_container_read_some', '_certindex_new', '_add_certfile', '_cert_read_index', 'fclose', 'netsnmp_directory_container_free']	2565	2581	_add_certdir	call site: 01086	/src/net-snmp/snmplib/cert_util.c:1639
1292	2412	7 : View List ['debugmsgtoken', 'snmp_get_do_debugging', 'debugmsg', 'strlen', 'stat', 'read_config', 'strncmp']	1292	2412	read_config_files_in_path	call site: 00498	/src/net-snmp/snmplib/read_config.c:1324
911	911	1 : View List ['netsnmp_pdu_stats_process']	1935	6262	netsnmp_wrap_up_request	call site: 06751	/src/net-snmp/agent/snmp_agent.c:1895
840	840	1 : View List ['netsnmp_cache_timer_start']	840	840	netsnmp_cache_handler_get	call site: 07380	/src/net-snmp/agent/helpers/cache_handler.c:397

Runtime coverage analysis

Covered functions

589

Functions that are reachable but not covered

1268

Reachable functions

1845

Percentage of reachable functions covered

31.27%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_agent_e2e_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	4
agent/snmp_vars.c	6
snmplib/snmp_logging.c	28
snmplib/default_store.c	12
agent/snmp_agent.c	58
snmplib/tools.c	13
snmplib/snmp_debug.c	12
agent/kernel.c	2
agent/agent_registry.c	40
snmplib/snmp_api.c	99
agent/helpers/null.c	3
agent/agent_handler.c	31
agent/helpers/bulk_to_next.c	4
snmplib/snmp_enum.c	15
snmplib/snmp_client.c	22
snmplib/mib.c	68
snmplib/../include/net-snmp/library/tools.h	1
snmplib/callback.c	10
agent/agent_read_config.c	8
snmplib/read_config.c	53
snmplib/strlcpy.c	1
agent/agent_trap.c	27
snmplib/snmp_transport.c	37
snmplib/strlcat.c	1
snmplib/snmp_service.c	12
snmplib/parse.c	65
snmplib/int64.c	9
snmplib/transports/snmpTLSBaseDomain.c	20
snmplib/snmp_openssl.c	15
snmplib/cert_util.c	73
snmplib/system.c	8
snmplib/dir_utils.c	3
snmplib/container.c	26
snmplib/file_utils.c	5
snmplib/data_list.c	8
snmplib/transports/snmpTLSTCPDomain.c	14
snmplib/transports/snmpIPv4BaseDomain.c	6
/usr/include/openssl/x509.h	2
/usr/include/openssl/x509v3.h	2
snmplib/transports/snmpSocketBaseDomain.c	6
snmplib/transports/snmpDTLSUDPDomain.c	25
snmplib/transports/snmpIPBaseDomain.c	3
snmplib/transports/snmpUDPDomain.c	15
snmplib/transports/snmpUDPIPv4BaseDomain.c	7
snmplib/sd-daemon.c	6
snmplib/transports/snmpUDPBaseDomain.c	1
snmplib/transports/snmpIPv6BaseDomain.c	7
snmplib/transports/snmpUDPIPv6Domain.c	18
snmplib/transports/snmpUDPsharedDomain.c	16
snmplib/transports/snmpSTDDomain.c	10