High level conclusions

Fuzzers reach 83.27% of cyclomatic complexity.

Fuzzers reach 74.01% of all functions.

Fuzzer snmp_config_fuzzer is blocked:

The runtime code coverage of snmp_config_fuzzer covers 19.51% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_e2e_fuzzer is blocked:

The runtime code coverage of snmp_e2e_fuzzer covers 25.02% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_scoped_pdu_parse_fuzzer is blocked:

The runtime code coverage of snmp_scoped_pdu_parse_fuzzer covers 27.27% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_parse_oid_fuzzer is blocked:

The runtime code coverage of snmp_parse_oid_fuzzer covers 21.08% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_parse_fuzzer is blocked:

The runtime code coverage of snmp_parse_fuzzer covers 22.38% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_config_mem_fuzzer is blocked:

The runtime code coverage of snmp_config_mem_fuzzer covers 25.52% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer snmp_transport_fuzzer is blocked:

The runtime code coverage of snmp_transport_fuzzer covers 11.51% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer read_objid_fuzzer is blocked:

The runtime code coverage of read_objid_fuzzer covers 18.75% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

1592 / 2151

Cyclomatic complexity statically reachable by fuzzers

15875 / 19063

Runtime code coverage of functions

796 / 2151

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: read_objid_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1184	92.8%
gold	[1:9]	51	4.0%
yellow	[10:29]	2	0.15%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	38	2.98%
All colors	1275	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['malloc', 'debugmsg', 'snmp_get_do_debugging', 'debugmsgtoken', 'strlen']	260	343	netsnmp_set_mib_directory	call site: 00604	/src/net-snmp/snmplib/mib.c:2533
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00059	/src/net-snmp/snmplib/parse.c:1251
0	48	1 : View List ['snmp_log']	0	1711	read_module_replacements	call site: 00590	/src/net-snmp/snmplib/parse.c:3845
0	0	None	768	1076	netsnmp_get_mib_directory	call site: 00600	/src/net-snmp/snmplib/mib.c:2590
0	0	None	256	402	print_error	call site: 00446	/src/net-snmp/snmplib/parse.c:780
0	0	None	95	206	_add_strings_to_oid	call site: 01209	/src/net-snmp/snmplib/mib.c:5349
0	0	1 : View List ['free']	2	2	netsnmp_ds_set_string	call site: 00610	/src/net-snmp/snmplib/default_store.c:295
0	0	None	2	2	name_hash	call site: 00009	/src/net-snmp/snmplib/parse.c:690
0	0	None	0	3712	get_node	call site: 00003	/src/net-snmp/snmplib/mib.c:5719
0	0	None	0	1856	get_node	call site: 01265	/src/net-snmp/snmplib/mib.c:5731
0	0	None	0	41	snmp_vlog	call site: 00290	/src/net-snmp/snmplib/snmp_logging.c:1376
0	0	None	0	28	snmp_log_string	call site: 00291	/src/net-snmp/snmplib/snmp_logging.c:1297

Runtime coverage analysis

Covered functions

34

Functions that are reachable but not covered

143

Reachable functions

176

Percentage of reachable functions covered

18.75%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/read_objid_fuzzer.c	1
snmplib/mib.c	46
snmplib/parse.c	63
snmplib/snmp_debug.c	1
snmplib/default_store.c	4
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/snmp_logging.c	7
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: parse_octet_hint_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	75.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	7	21.8%
lawngreen	50+	1	3.12%
All colors	32	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	1 : View List ['free']	0	0	parse_octet_hint	call site: 00031	/src/net-snmp/snmplib/mib.c:6327

Runtime coverage analysis

Covered functions

5

Functions that are reachable but not covered

9

Reachable functions

13

Percentage of reachable functions covered

30.77%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/parse_octet_hint_fuzzer.c	1
snmplib/mib.c	6

Fuzzer: snmp_transport_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1981	87.6%
gold	[1:9]	47	2.07%
yellow	[10:29]	25	1.10%
greenyellow	[30:49]	3	0.13%
lawngreen	50+	204	9.02%
All colors	2260	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
514	518	4 : View List ['snmp_get_do_debugging', 'freeaddrinfo', 'debugmsg', 'debugmsgtoken']	514	518	netsnmp_resolve_v6_hostname	call site: 01488	/src/net-snmp/snmplib/transports/snmpIPv6BaseDomain.c:200
256	258	3 : View List ['snmp_get_do_debugging', 'debugmsg', 'debugmsgtoken']	256	258	netsnmp_gethostbyname_v4	call site: 01146	/src/net-snmp/snmplib/system.c:790
96	96	1 : View List ['snmp_log']	96	96	_callback_lock	call site: 00170	/src/net-snmp/snmplib/callback.c:138
87	87	4 : View List ['netsnmp_gethostbyaddr', 'inet_ntop', 'netsnmp_if_indextoname', 'ntohs']	89	89	netsnmp_ipv6_fmtaddr	call site: 01502	/src/net-snmp/snmplib/transports/snmpIPv6BaseDomain.c:137
60	60	2 : View List ['CONTAINER_FREE', 'CONTAINER_CLEAR']	60	60	netsnmp_transport_filter_cleanup	call site: 02256	/src/net-snmp/snmplib/snmp_transport.c:367
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00050	/src/net-snmp/snmplib/snmp_logging.c:1098
4	294	5 : View List ['netsnmp_udp_resolve_source', 'endnetgrent', 'netsnmp_udp_com2SecEntry_create', 'getnetgrent', 'netsnmp_udp_com2SecEntry_check_return_code']	4	350	netsnmp_parse_source_as_netgroup	call site: 02214	/src/net-snmp/snmplib/transports/snmpUDPDomain.c:391
2	132	3 : View List ['internal_register_config_handler', 'strlcpy', 'strchr']	2	132	internal_register_config_handler	call site: 00014	/src/net-snmp/snmplib/read_config.c:164
0	56	1 : View List ['config_perror']	0	56	create_com2Sec6Entry	call site: 02179	/src/net-snmp/snmplib/transports/snmpUDPIPv6Domain.c:554
0	0	None	834	1049	netsnmp_sockaddr_in6_3	call site: 01476	/src/net-snmp/snmplib/transports/snmpIPv6BaseDomain.c:273
0	0	None	595	609	netsnmp_getaddrinfo	call site: 01147	/src/net-snmp/snmplib/system.c:853
0	0	None	532	544	netsnmp_getaddrinfo	call site: 01149	/src/net-snmp/snmplib/system.c:858

Runtime coverage analysis

Covered functions

71

Functions that are reachable but not covered

538

Reachable functions

608

Percentage of reachable functions covered

11.51%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_transport_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	4
snmplib/default_store.c	9
snmplib/snmp_debug.c	1
snmplib/snmp_transport.c	28
snmplib/read_config.c	22
snmplib/strlcpy.c	1
snmplib/snmp_logging.c	7
snmplib/container.c	14
snmplib/snmp_api.c	4
snmplib/transports/snmpTLSBaseDomain.c	20
snmplib/snmp_openssl.c	15
snmplib/callback.c	5
snmplib/cert_util.c	56
snmplib/tools.c	5
snmplib/system.c	5
snmplib/snmp_enum.c	7
snmplib/dir_utils.c	3
snmplib/file_utils.c	5
snmplib/data_list.c	5
snmplib/transports/snmpTLSTCPDomain.c	14
snmplib/transports/snmpIPv4BaseDomain.c	4
/usr/include/openssl/x509.h	2
/usr/include/openssl/x509v3.h	2
snmplib/transports/snmpSocketBaseDomain.c	6
snmplib/transports/snmpDTLSUDPDomain.c	25
snmplib/transports/snmpIPBaseDomain.c	3
snmplib/transports/snmpUDPDomain.c	13
snmplib/transports/snmpUDPIPv4BaseDomain.c	7
snmplib/sd-daemon.c	6
snmplib/transports/snmpUDPBaseDomain.c	1
snmplib/transports/snmpIPv6BaseDomain.c	9
snmplib/transports/snmpUDPIPv6Domain.c	16
snmplib/transports/snmpUDPsharedDomain.c	16
snmplib/transports/snmpSTDDomain.c	10
snmplib/transports/snmpIPXDomain.c	11
snmplib/transports/snmpAAL5PVCDomain.c	10
snmplib/transports/snmpTCPIPv6Domain.c	6
snmplib/transports/snmpTCPDomain.c	6
snmplib/transports/snmpAliasDomain.c	4
snmplib/strlcat.c	1
snmplib/snmp_service.c	2
snmplib/transports/snmpUnixDomain.c	11

Fuzzer: snmp_pdu_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	67	28.1%
gold	[1:9]	7	2.94%
yellow	[10:29]	20	8.40%
greenyellow	[30:49]	8	3.36%
lawngreen	50+	136	57.1%
All colors	238	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00104	/src/net-snmp/snmplib/snmp_logging.c:1098
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_int	call site: 00064	/src/net-snmp/snmplib/asn1.c:581
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int	call site: 00078	/src/net-snmp/snmplib/asn1.c:670
0	13	1 : View List ['_asn_type_err']	0	13	asn_parse_bitstring	call site: 00209	/src/net-snmp/snmplib/asn1.c:1848
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_bitstring	call site: 00211	/src/net-snmp/snmplib/asn1.c:1854
0	13	1 : View List ['_asn_length_err']	0	13	asn_parse_bitstring	call site: 00212	/src/net-snmp/snmplib/asn1.c:1859
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int64	call site: 00135	/src/net-snmp/snmplib/asn1.c:1969
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_unsigned_int64	call site: 00144	/src/net-snmp/snmplib/asn1.c:2025
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_signed_int64	call site: 00183	/src/net-snmp/snmplib/asn1.c:2240
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_signed_int64	call site: 00191	/src/net-snmp/snmplib/asn1.c:2282
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_float	call site: 00162	/src/net-snmp/snmplib/asn1.c:2496
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_double	call site: 00176	/src/net-snmp/snmplib/asn1.c:2686

Runtime coverage analysis

Covered functions

41

Functions that are reachable but not covered

75

Reachable functions

115

Percentage of reachable functions covered

34.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_pdu_parse_fuzzer.c	1
snmplib/snmp_api.c	10
snmplib/asn1.c	18
snmplib/strlcpy.c	1
snmplib/snmp_debug.c	1
snmplib/tools.c	2
snmplib/mib.c	1
snmplib/snmp_logging.c	6
snmplib/default_store.c	1
snmplib/snmp.c	1
snmplib/snmp_client.c	1
snmplib/int64.c	5
snmplib/snmp_secmod.c	1

Fuzzer: snmp_config_mem_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1189	89.8%
gold	[1:9]	52	3.93%
yellow	[10:29]	6	0.45%
greenyellow	[30:49]	5	0.37%
lawngreen	50+	71	5.36%
All colors	1323	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['malloc', 'debugmsg', 'snmp_get_do_debugging', 'debugmsgtoken', 'strlen']	260	343	netsnmp_set_mib_directory	call site: 00637	/src/net-snmp/snmplib/mib.c:2533
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00027	/src/net-snmp/snmplib/snmp_logging.c:1098
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00110	/src/net-snmp/snmplib/parse.c:1251
0	48	1 : View List ['snmp_log']	0	1711	read_module_replacements	call site: 00623	/src/net-snmp/snmplib/parse.c:3845
0	0	None	768	1076	netsnmp_get_mib_directory	call site: 00633	/src/net-snmp/snmplib/mib.c:2590
0	0	None	264	2691	read_config_read_memory	call site: 00001	/src/net-snmp/snmplib/read_config.c:2264
0	0	1 : View List ['malloc']	258	2272	read_config_read_objid_const	call site: 00050	/src/net-snmp/snmplib/read_config.c:2143
0	0	None	258	269	copy_nword_const	call site: 00003	/src/net-snmp/snmplib/read_config.c:1853
0	0	None	256	402	print_error	call site: 00479	/src/net-snmp/snmplib/parse.c:780
0	0	None	95	206	_add_strings_to_oid	call site: 01242	/src/net-snmp/snmplib/mib.c:5349
0	0	1 : View List ['malloc']	2	103	read_config_read_octet_string_const	call site: 00044	/src/net-snmp/snmplib/read_config.c:2083
0	0	1 : View List ['malloc']	2	11	read_config_read_octet_string_const	call site: 00038	/src/net-snmp/snmplib/read_config.c:2035

Runtime coverage analysis

Covered functions

50

Functions that are reachable but not covered

143

Reachable functions

192

Percentage of reachable functions covered

25.52%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_config_mem_fuzzer.c	1
snmplib/read_config.c	11
snmplib/snmp_debug.c	1
snmplib/snmp_logging.c	7
snmplib/default_store.c	4
snmplib/mib.c	46
snmplib/parse.c	63
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	9
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: snmp_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	710	74.0%
gold	[1:9]	14	1.45%
yellow	[10:29]	21	2.18%
greenyellow	[30:49]	10	1.04%
lawngreen	50+	204	21.2%
All colors	959	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
204	204	1 : View List ['snmp_parse_version']	5677	8691	_snmp_parse	call site: 00337	/src/net-snmp/snmplib/snmp_api.c:4341
19	163	3 : View List ['se_find_label_in_slist', 'snmp_log', 'strcmp']	19	163	register_sec_mod	call site: 00000	/src/net-snmp/snmplib/snmp_secmod.c:92
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00068	/src/net-snmp/snmplib/snmp_logging.c:1098
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_int	call site: 00031	/src/net-snmp/snmplib/asn1.c:581
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int	call site: 00179	/src/net-snmp/snmplib/asn1.c:670
0	13	1 : View List ['_asn_type_err']	0	13	asn_parse_bitstring	call site: 00290	/src/net-snmp/snmplib/asn1.c:1848
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_bitstring	call site: 00292	/src/net-snmp/snmplib/asn1.c:1854
0	13	1 : View List ['_asn_length_err']	0	13	asn_parse_bitstring	call site: 00293	/src/net-snmp/snmplib/asn1.c:1859
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_unsigned_int64	call site: 00216	/src/net-snmp/snmplib/asn1.c:1969
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_unsigned_int64	call site: 00225	/src/net-snmp/snmplib/asn1.c:2025
0	13	1 : View List ['_asn_size_err']	0	13	asn_parse_signed_int64	call site: 00264	/src/net-snmp/snmplib/asn1.c:2240
0	13	1 : View List ['_asn_short_err']	0	13	asn_parse_signed_int64	call site: 00272	/src/net-snmp/snmplib/asn1.c:2282

Runtime coverage analysis

Covered functions

51

Functions that are reachable but not covered

163

Reachable functions

210

Percentage of reachable functions covered

22.38%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_parse_fuzzer.c	1
snmplib/snmp_api.c	38
snmplib/snmp_debug.c	4
snmplib/asn1.c	50
snmplib/strlcpy.c	1
snmplib/snmp_logging.c	6
snmplib/default_store.c	3
snmplib/mib.c	1
snmplib/tools.c	3
snmplib/snmp_secmod.c	1
snmplib/snmp.c	4
snmplib/snmp_client.c	10
snmplib/int64.c	5
snmplib/snmp_auth.c	1
snmplib/callback.c	4
snmplib/snmpv3.c	2
snmplib/snmp_enum.c	3
snmplib/snmp_transport.c	2

Fuzzer: snmp_print_var_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1039	77.1%
gold	[1:9]	90	6.68%
yellow	[10:29]	47	3.49%
greenyellow	[30:49]	14	1.04%
lawngreen	50+	156	11.5%
All colors	1346	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1667	1667	3 : View List ['free', 'strtok_r', 'read_mib']	2447	2457	netsnmp_init_mib	call site: 00000	/src/net-snmp/snmplib/mib.c:2794
260	262	5 : View List ['malloc', 'debugmsg', 'snmp_get_do_debugging', 'debugmsgtoken', 'strlen']	260	343	netsnmp_set_mib_directory	call site: 00625	/src/net-snmp/snmplib/mib.c:2534
199	199	3 : View List ['strrchr', 'free', 'add_mibfile']	199	199	add_mibdir	call site: 00000	/src/net-snmp/snmplib/parse.c:5034
197	197	1 : View List ['add_mibfile']	6527	9870	netsnmp_init_mib	call site: 00000	/src/net-snmp/snmplib/mib.c:2701
15	15	1 : View List ['printI64']	15	96	sprint_realloc_counter64	call site: 00293	/src/net-snmp/snmplib/mib.c:959
12	23	3 : View List ['snmp_realloc', 'sprint_char', 'strlen']	12	23	_sprint_hexstring_line	call site: 00137	/src/net-snmp/snmplib/mib.c:328
2	831	3 : View List ['snmp_realloc', 'sprint_realloc_octet_string', 'memchr']	2	1116	sprint_realloc_octet_string	call site: 00061	/src/net-snmp/snmplib/mib.c:475
2	2	1 : View List ['strlen']	2	29	sprint_realloc_hinted_integer	call site: 00329	/src/net-snmp/snmplib/mib.c:1298
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00080	/src/net-snmp/snmplib/parse.c:1251
2	2	1 : View List ['strlen']	2	2	strlcat	call site: 00815	/src/net-snmp/snmplib/strlcat.c:53
0	707	2 : View List ['netsnmp_ds_get_boolean', 'sprint_realloc_by_type']	0	734	sprint_realloc_null	call site: 00245	/src/net-snmp/snmplib/mib.c:1772
0	702	1 : View List ['sprint_realloc_by_type']	0	734	sprint_realloc_octet_string	call site: 00058	/src/net-snmp/snmplib/mib.c:462

Runtime coverage analysis

Covered functions

82

Functions that are reachable but not covered

110

Reachable functions

186

Percentage of reachable functions covered

40.86%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_print_var_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	4
snmplib/default_store.c	5
snmplib/snmp_debug.c	1
snmplib/mib.c	51
snmplib/parse.c	63
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/snmp_logging.c	7
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: snmp_parse_oid_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1191	91.5%
gold	[1:9]	51	3.92%
yellow	[10:29]	5	0.38%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	54	4.15%
All colors	1301	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['malloc', 'debugmsg', 'snmp_get_do_debugging', 'debugmsgtoken', 'strlen']	260	343	netsnmp_set_mib_directory	call site: 00611	/src/net-snmp/snmplib/mib.c:2533
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00066	/src/net-snmp/snmplib/parse.c:1251
0	1872	1 : View List ['get_node']	0	1872	read_objid	call site: 01288	/src/net-snmp/snmplib/mib.c:3007
0	48	1 : View List ['snmp_log']	0	1711	read_module_replacements	call site: 00597	/src/net-snmp/snmplib/parse.c:3845
0	0	None	768	1076	netsnmp_get_mib_directory	call site: 00607	/src/net-snmp/snmplib/mib.c:2590
0	0	None	256	402	print_error	call site: 00453	/src/net-snmp/snmplib/parse.c:780
0	0	None	95	206	_add_strings_to_oid	call site: 01217	/src/net-snmp/snmplib/mib.c:5349
0	0	1 : View List ['free']	2	2	netsnmp_ds_set_string	call site: 00617	/src/net-snmp/snmplib/default_store.c:295
0	0	None	2	2	name_hash	call site: 00016	/src/net-snmp/snmplib/parse.c:690
0	0	None	0	1909	snmp_parse_oid	call site: 01276	/src/net-snmp/snmplib/mib.c:6077
0	0	None	0	1856	get_node	call site: 01273	/src/net-snmp/snmplib/mib.c:5731
0	0	None	0	50	find_best_tree_node	call site: 01282	/src/net-snmp/snmplib/parse.c:1361

Runtime coverage analysis

Covered functions

40

Functions that are reachable but not covered

146

Reachable functions

185

Percentage of reachable functions covered

21.08%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_parse_oid_fuzzer.c	1
snmplib/mib.c	50
snmplib/default_store.c	4
snmplib/snmp_debug.c	1
snmplib/parse.c	65
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/snmp_logging.c	7
snmplib/strlcpy.c	1
snmplib/strlcat.c	1
snmplib/snmp_api.c	1

Fuzzer: snmp_scoped_pdu_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	53	61.6%
gold	[1:9]	7	8.13%
yellow	[10:29]	2	2.32%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	24	27.9%
All colors	86	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
617	855	10 : View List ['debugmsg', 'netsnmp_memdup', 'debug_indent_add', 'debug_indent_get', 'snmp_get_do_debugging', 'asn_parse_string', 'debugmsgtoken', 'debug_is_token_registered', 'asn_parse_header', 'strdup']	617	873	snmpv3_scopedPDU_parse	call site: 00050	/src/net-snmp/snmplib/snmp_api.c:4960
0	0	None	96	99	free_securityStateRef	call site: 00061	/src/net-snmp/snmplib/snmp_api.c:4093
0	0	None	0	106	asn_parse_header	call site: 00004	/src/net-snmp/snmplib/asn1.c:1082
0	0	None	0	74	snmp_free_pdu	call site: 00060	/src/net-snmp/snmplib/snmp_api.c:5565
0	0	None	0	27	asn_parse_length	call site: 00013	/src/net-snmp/snmplib/asn1.c:1307
0	0	None	0	15	snmp_free_pdu	call site: 00082	/src/net-snmp/snmplib/snmp_api.c:5571
0	0	None	0	0	asn_parse_nlength	call site: 00012	/src/net-snmp/snmplib/asn1.c:330
0	0	None	0	0	asn_parse_nlength	call site: 00012	/src/net-snmp/snmplib/asn1.c:333
0	0	None	0	0	asn_parse_length	call site: 00014	/src/net-snmp/snmplib/asn1.c:1313
0	0	None	0	0	strlcpy	call site: 00007	/src/net-snmp/snmplib/strlcpy.c:30
0	0	None	0	0	strlcpy	call site: 00007	/src/net-snmp/snmplib/strlcpy.c:34

Runtime coverage analysis

Covered functions

16

Functions that are reachable but not covered

40

Reachable functions

55

Percentage of reachable functions covered

27.27%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_scoped_pdu_parse_fuzzer.c	1
snmplib/snmp_api.c	7
snmplib/asn1.c	8
snmplib/strlcpy.c	1
snmplib/snmp_debug.c	1
snmplib/mib.c	1
snmplib/tools.c	2
snmplib/snmp_secmod.c	1
snmplib/snmp_logging.c	6
snmplib/default_store.c	1

Fuzzer: agentx_parse_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	126	26.7%
gold	[1:9]	4	0.84%
yellow	[10:29]	15	3.18%
greenyellow	[30:49]	38	8.06%
lawngreen	50+	288	61.1%
All colors	471	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
260	262	5 : View List ['snmp_get_do_debugging', 'debugmsg', 'DH_free', 'free', 'debugmsgtoken']	260	262	usm_free_user	call site: 00467	/src/net-snmp/snmplib/snmpusm.c:748
192	192	1 : View List ['snmp_log']	192	192	snmp_set_var_value	call site: 00103	/src/net-snmp/snmplib/snmp_client.c:842
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00124	/src/net-snmp/snmplib/snmp_client.c:920
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00126	/src/net-snmp/snmplib/snmp_client.c:940
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00127	/src/net-snmp/snmplib/snmp_client.c:966
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00128	/src/net-snmp/snmplib/snmp_client.c:977
48	48	1 : View List ['snmp_log']	48	48	snmp_set_var_value	call site: 00129	/src/net-snmp/snmplib/snmp_client.c:987
0	12	1 : View List ['snmp_free_var']	0	12	snmp_varlist_add_variable	call site: 00102	/src/net-snmp/snmplib/snmp_api.c:7302
0	0	None	11990	22368	_agentx_realloc_build	call site: 00213	/src/net-snmp/agent/mibgroup/agentx/protocol.c:705
0	0	None	6626	15679	agentx_parse	call site: 00003	/src/net-snmp/agent/mibgroup/agentx/protocol.c:1588
0	0	None	3900	8708	agentx_realloc_build_varbind	call site: 00367	/src/net-snmp/agent/mibgroup/agentx/protocol.c:392
0	0	None	3900	8708	agentx_realloc_build_varbind	call site: 00370	/src/net-snmp/agent/mibgroup/agentx/protocol.c:402

Runtime coverage analysis

Covered functions

41

Functions that are reachable but not covered

85

Reachable functions

125

Percentage of reachable functions covered

32.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/agentx_parse_fuzzer.c	1
agent/mibgroup/agentx/protocol.c	22
snmplib/snmp_debug.c	2
snmplib/mib.c	1
snmplib/tools.c	1
snmplib/snmp_client.c	4
snmplib/snmp_api.c	9
snmplib/snmp_logging.c	6
snmplib/default_store.c	1
snmplib/strlcpy.c	1
snmplib/snmp_secmod.c	1
snmplib/snmpusm.c	1

Fuzzer: snmp_e2e_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	5006	82.9%
gold	[1:9]	651	10.7%
yellow	[10:29]	69	1.14%
greenyellow	[30:49]	23	0.38%
lawngreen	50+	287	4.75%
All colors	6036	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4442	4442	1 : View List ['_sess_read_accept']	4442	4442	_sess_read	call site: 04711	/src/net-snmp/snmplib/snmp_api.c:6192
1667	1667	3 : View List ['free', 'strtok_r', 'read_mib']	1679	2457	netsnmp_init_mib	call site: 05897	/src/net-snmp/snmplib/mib.c:2794
1414	1414	6 : View List ['fclose', '_cert_read_index', '_certindex_new', '_add_certfile', 'netsnmp_directory_container_free', 'netsnmp_directory_container_read_some']	1414	2582	_add_certdir	call site: 00591	/src/net-snmp/snmplib/cert_util.c:1639
1079	2168	23 : View List ['opendir', 'realloc', 'strlcpy', 'strlen', 'skip_white', 'read_config_get_handlers', 'strrchr', 'strlcat', 'read_config', 'free', 'strcasecmp', 'strcmp', 'netsnmp_config_error', 'fgets', 'read_config_files_of_type', 'fclose', 'closedir', 'strncasecmp', 'netsnmp_ds_get_boolean', 'run_config_handler', 'readdir', 'netsnmp_config_warn', 'copy_nword']	1079	3200	read_config	call site: 02298	/src/net-snmp/snmplib/read_config.c:773
302	818	5 : View List ['snmp_get_do_debugging', 'debugmsg', 'debugmsgtoken', 'snmpv3_engineID_probe', 'snmp_sess_close']	302	818	snmp_sess_add_ex	call site: 04784	/src/net-snmp/snmplib/snmp_api.c:1900
241	241	3 : View List ['calloc', 'snmp_sess_close', 'usm_cloneFrom_user']	241	241	_sess_copy	call site: 04777	/src/net-snmp/snmplib/snmp_api.c:1314
216	216	1 : View List ['snmp_sess_close']	216	216	snmp_close	call site: 04668	/src/net-snmp/snmplib/snmp_api.c:2102
204	204	1 : View List ['snmp_parse_version']	3565	8691	_snmp_parse	call site: 04828	/src/net-snmp/snmplib/snmp_api.c:4341
199	212	4 : View List ['get_default_privtype', 'snmp_perror', 'generate_Ku', 'snmp_duplicate_objid']	205	486	netsnmp_parse_args	call site: 06009	/src/net-snmp/snmplib/snmp_parse_args.c:593
199	199	3 : View List ['strrchr', 'free', 'add_mibfile']	199	199	add_mibdir	call site: 05840	/src/net-snmp/snmplib/parse.c:5034
197	197	1 : View List ['add_mibfile']	5247	9870	netsnmp_init_mib	call site: 05866	/src/net-snmp/snmplib/mib.c:2701
118	118	1 : View List ['netsnmp_transport_free']	118	118	snmp_sess_add_ex	call site: 04735	/src/net-snmp/snmplib/snmp_api.c:1871

Runtime coverage analysis

Covered functions

311

Functions that are reachable but not covered

908

Reachable functions

1211

Percentage of reachable functions covered

25.02%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_e2e_fuzzer.c	4
snmplib/snmp_parse_args.c	3
snmplib/snmp_api.c	84
snmplib/parse.c	71
snmplib/snmp_debug.c	10
snmplib/mib.c	43
snmplib/default_store.c	11
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	10
snmplib/int64.c	5
snmplib/snmp_logging.c	9
snmplib/snmp_transport.c	30
snmplib/transports/snmpTLSBaseDomain.c	20
snmplib/snmp_openssl.c	15
snmplib/read_config.c	44
snmplib/strlcpy.c	1
snmplib/callback.c	7
snmplib/cert_util.c	59
snmplib/system.c	7
snmplib/snmp_enum.c	14
snmplib/dir_utils.c	3
snmplib/container.c	22
snmplib/file_utils.c	5
snmplib/data_list.c	5
snmplib/transports/snmpTLSTCPDomain.c	14
snmplib/transports/snmpIPv4BaseDomain.c	4
/usr/include/openssl/x509.h	2
/usr/include/openssl/x509v3.h	2
snmplib/transports/snmpSocketBaseDomain.c	6
snmplib/transports/snmpDTLSUDPDomain.c	25
snmplib/transports/snmpIPBaseDomain.c	3
snmplib/transports/snmpUDPDomain.c	8
snmplib/transports/snmpUDPIPv4BaseDomain.c	7
snmplib/sd-daemon.c	6
snmplib/transports/snmpUDPBaseDomain.c	1
snmplib/transports/snmpIPv6BaseDomain.c	7
snmplib/transports/snmpUDPIPv6Domain.c	14
snmplib/transports/snmpUDPsharedDomain.c	16
snmplib/transports/snmpSTDDomain.c	10
snmplib/transports/snmpIPXDomain.c	11
snmplib/transports/snmpAAL5PVCDomain.c	10
snmplib/transports/snmpTCPIPv6Domain.c	6
snmplib/transports/snmpTCPDomain.c	6
snmplib/transports/snmpAliasDomain.c	4
snmplib/strlcat.c	1
snmplib/snmp_service.c	10
snmplib/transports/snmpUnixDomain.c	10
snmplib/snmp_version.c	1
snmplib/container_binary_array.c	31
snmplib/container_list_ssll.c	1
snmplib/container_null.c	2
snmplib/snmpv3.c	24
snmplib/lcd_time.c	6
snmplib/scapi.c	20
snmplib/snmp_secmod.c	4
snmplib/snmpusm.c	57
snmplib/asn1.c	51
snmplib/keytools.c	5
snmplib/snmp_client.c	15
snmplib/snmp.c	4
snmplib/large_fd_set.c	10
snmplib/snmp_alarm.c	11
snmplib/snmp_auth.c	1
snmplib/snmptsm.c	7
snmplib/snmpksm.c	12
snmplib/vacm.c	1

Fuzzer: snmp_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1229	93.1%
gold	[1:9]	8	0.60%
yellow	[10:29]	3	0.22%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	79	5.98%
All colors	1319	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1755	1755	2 : View List ['new_module', 'netsnmp_read_module']	1757	1757	read_mib	call site: 00071	/src/net-snmp/snmplib/parse.c:5069
1292	2421	7 : View List ['debugmsg', 'stat', 'read_config', 'snmp_get_do_debugging', 'debugmsgtoken', 'strncmp', 'strlen']	1292	2421	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1338
264	266	5 : View List ['debugmsg', 'strerror', 'snmp_get_do_debugging', 'debugmsgtoken', '__errno_location']	264	266	read_config	call site: 00000	/src/net-snmp/snmplib/read_config.c:781
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00054	/src/net-snmp/snmplib/snmp_logging.c:1098
2	132	3 : View List ['internal_register_config_handler', 'strlcpy', 'strchr']	2	132	internal_register_config_handler	call site: 00005	/src/net-snmp/snmplib/read_config.c:164
2	2	1 : View List ['__errno_location']	2	50	snmp_log_perror	call site: 00046	/src/net-snmp/snmplib/snmp_logging.c:1412
2	2	1 : View List ['strlen']	2	2	strlcat	call site: 00837	/src/net-snmp/snmplib/strlcat.c:53
0	5	1 : View List ['netsnmp_ds_get_string']	530	669	internal_register_config_handler	call site: 00003	/src/net-snmp/snmplib/read_config.c:156
0	0	None	1292	2421	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1281
0	0	None	1292	2421	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1310
0	0	None	1292	2421	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1330
0	0	None	1292	2421	read_config_files_in_path	call site: 00000	/src/net-snmp/snmplib/read_config.c:1335

Runtime coverage analysis

Covered functions

41

Functions that are reachable but not covered

165

Reachable functions

205

Percentage of reachable functions covered

19.51%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_config_fuzzer.c	1
snmplib/mib.c	39
snmplib/read_config.c	10
snmplib/default_store.c	9
snmplib/strlcpy.c	1
snmplib/snmp_debug.c	1
snmplib/parse.c	64
snmplib/snmp_logging.c	7
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/strlcat.c	1

Fuzzer: snmp_api_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1591	63.6%
gold	[1:9]	100	4.00%
yellow	[10:29]	49	1.96%
greenyellow	[30:49]	66	2.64%
lawngreen	50+	692	27.7%
All colors	2498	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4208	8109	17 : View List ['snmp_get_do_debugging', 'snmp_pdu_type', 'asn_build_int', 'free', 'debug_is_token_registered', 'snmp_pdu_build', 'asn_realloc_rbuild_sequence', 'asn_build_sequence', 'snmp_pdu_realloc_rbuild', 'debugmsg', 'asn_realloc_rbuild_string', 'netsnmp_memdup', 'debug_indent_add', 'debug_indent_get', 'debugmsgtoken', 'asn_build_string', 'asn_realloc_rbuild_int']	4208	8109	_snmp_build	call site: 02398	/src/net-snmp/snmplib/snmp_api.c:2997
260	262	5 : View List ['malloc', 'debugmsg', 'snmp_get_do_debugging', 'debugmsgtoken', 'strlen']	260	343	netsnmp_set_mib_directory	call site: 00835	/src/net-snmp/snmplib/mib.c:2533
256	273	4 : View List ['snmp_get_do_debugging', 'debugmsg', 'snmp_free_varbind', 'debugmsgtoken']	256	301	snmp_pdu_build	call site: 01723	/src/net-snmp/snmplib/snmp_api.c:3467
105	105	1 : View List ['snmp_call_callbacks']	3142	3575	_snmp_parse	call site: 02062	/src/net-snmp/snmplib/snmp_api.c:4432
19	163	3 : View List ['se_find_label_in_slist', 'snmp_log', 'strcmp']	19	163	register_sec_mod	call site: 00000	/src/net-snmp/snmplib/snmp_secmod.c:92
6	139	5 : View List ['snmp_pdu_add_variable', 'strtoul', 'snmp_realloc', 'strcmp', 'strtok_r']	6	175	snmp_add_var	call site: 01551	/src/net-snmp/snmplib/snmp_api.c:7667
2	2	1 : View List ['strcmp']	2	2	find_tree_node	call site: 00312	/src/net-snmp/snmplib/parse.c:1251
0	1872	1 : View List ['get_node']	0	1872	read_objid	call site: 01510	/src/net-snmp/snmplib/mib.c:3007
0	1168	3 : View List ['asn_realloc_rbuild_objid', 'asn_realloc_rbuild_string', 'asn_realloc_rbuild_unsigned_int']	2505	4726	snmp_pdu_realloc_rbuild	call site: 02298	/src/net-snmp/snmplib/snmp_api.c:3595
0	96	1 : View List ['store_byte']	1222	1461	asn_realloc_rbuild_objid	call site: 02230	/src/net-snmp/snmplib/asn1.c:3308
0	48	1 : View List ['snmp_log']	0	1711	read_module_replacements	call site: 00821	/src/net-snmp/snmplib/parse.c:3845
0	48	1 : View List ['snmp_log']	0	48	snmp_set_var_value	call site: 00125	/src/net-snmp/snmplib/snmp_client.c:920

Runtime coverage analysis

Covered functions

162

Functions that are reachable but not covered

192

Reachable functions

350

Percentage of reachable functions covered

45.14%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_api_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	7
agent/mibgroup/agentx/protocol.c	11
snmplib/snmp_debug.c	5
snmplib/mib.c	50
snmplib/tools.c	8
snmplib/snmp_client.c	11
snmplib/snmp_api.c	43
snmplib/snmp_logging.c	7
snmplib/default_store.c	5
snmplib/strlcpy.c	1
snmplib/int64.c	9
snmplib/parse.c	65
snmplib/../include/net-snmp/library/tools.h	1
snmplib/strlcat.c	1
snmplib/asn1.c	50
snmplib/snmp.c	4
snmplib/snmp_secmod.c	1
snmplib/snmp_auth.c	1
snmplib/callback.c	4
snmplib/snmpv3.c	3
snmplib/snmp_enum.c	3
snmplib/snmp_transport.c	2

Fuzzer: snmp_mib_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	614	50.8%
gold	[1:9]	108	8.94%
yellow	[10:29]	16	1.32%
greenyellow	[30:49]	16	1.32%
lawngreen	50+	454	37.5%
All colors	1208	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
512	11381	20 : View List ['parse_imports', 'parse_macro', 'parse_objectgroup', 'scan_objlist', 'parse_compliance', 'parse_asntype', 'parse_capabilities', 'snmp_get_do_debugging', 'parse_notificationDefinition', 'parse_objecttype', 'do_linkup', 'strlcpy', 'debugmsg', 'parse_trapDefinition', 'get_token', 'which_module', 'debugmsgtoken', 'parse_objectid', 'parse_moduleIdentity', 'new_module']	512	12912	parse	call site: 00679	/src/net-snmp/snmplib/parse.c:4477
512	11381	20 : View List ['parse_imports', 'parse_macro', 'parse_objectgroup', 'scan_objlist', 'parse_compliance', 'parse_asntype', 'parse_capabilities', 'snmp_get_do_debugging', 'parse_notificationDefinition', 'parse_objecttype', 'do_linkup', 'strlcpy', 'debugmsg', 'parse_trapDefinition', 'get_token', 'which_module', 'debugmsgtoken', 'parse_objectid', 'parse_moduleIdentity', 'new_module']	512	12912	parse	call site: 00890	/src/net-snmp/snmplib/parse.c:4536
260	262	5 : View List ['malloc', 'debugmsg', 'snmp_get_do_debugging', 'debugmsgtoken', 'strlen']	260	343	netsnmp_set_mib_directory	call site: 00623	/src/net-snmp/snmplib/mib.c:2533
72	72	1 : View List ['dump_module_list']	844	2885	do_linkup	call site: 00509	/src/net-snmp/snmplib/parse.c:1723
61	61	2 : View List ['snmp_log_perror', '__errno_location']	61	61	read_module_internal	call site: 00495	/src/net-snmp/snmplib/parse.c:3928
57	57	1 : View List ['snmp_log_perror']	57	57	read_mib	call site: 00006	/src/net-snmp/snmplib/parse.c:5062
12	1641	9 : View List ['tossObjectIdentifier', 'netsnmp_ds_get_boolean', 'get_token', 'free_indexes', 'merge_parse_objectid', 'strlen', 'getIndexes', 'strlcat', 'strdup']	12	2865	parse_objecttype	call site: 00814	/src/net-snmp/snmplib/parse.c:2740
10	17	7 : View List ['strtoul', 'malloc', 'strcat', 'alloc_node', 'strcpy', 'strlen', 'strdup']	10	147	parse_trapDefinition	call site: 00921	/src/net-snmp/snmplib/parse.c:2995
9	9	1 : View List ['sprintf_stamp']	11	11	log_handler_stdouterr	call site: 00016	/src/net-snmp/snmplib/snmp_logging.c:1098
2	2	1 : View List ['strdup']	4	6420	parse_compliance	call site: 00966	/src/net-snmp/snmplib/parse.c:3164
2	2	1 : View List ['strdup']	2	1611	parse_moduleIdentity	call site: 01129	/src/net-snmp/snmplib/parse.c:3554
2	2	1 : View List ['strlen']	2	2	strlcat	call site: 00802	/src/net-snmp/snmplib/strlcat.c:53

Runtime coverage analysis

Covered functions

80

Functions that are reachable but not covered

87

Reachable functions

166

Percentage of reachable functions covered

47.59%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_mib_fuzzer.c	1
snmplib/parse.c	64
snmplib/snmp_logging.c	7
snmplib/default_store.c	4
snmplib/snmp_debug.c	1
snmplib/mib.c	34
snmplib/../include/net-snmp/library/tools.h	1
snmplib/tools.c	3
snmplib/int64.c	5
snmplib/strlcpy.c	1
snmplib/strlcat.c	1

Fuzzer: snmp_agent_e2e_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	6804	75.9%
gold	[1:9]	123	1.37%
yellow	[10:29]	98	1.09%
greenyellow	[30:49]	39	0.43%
lawngreen	50+	1889	21.0%
All colors	8953	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
10678	10678	1 : View List ['real_init_master']	10901	11173	init_master_agent	call site: 08605	/src/net-snmp/agent/snmp_agent.c:1525
9247	9247	1 : View List ['subagent_init']	9247	23195	init_agent	call site: 08271	/src/net-snmp/agent/snmp_vars.c:311
4879	5028	11 : View List ['malloc', 'debugmsg', 'netsnmp_max_send_msg_size', 'snmpv3_engineID_probe', 'count_varbinds', 'netsnmp_ds_get_boolean', 'snmp_log', 'snmp_get_do_debugging', 'netsnmp_build_packet', 'free', 'debugmsgtoken']	4879	5028	_build_initial_pdu_packet	call site: 04630	/src/net-snmp/snmplib/snmp_api.c:5054
4037	4039	6 : View List ['get_wild_node', 'debugmsg', 'clear_tree_flags', 'get_node', 'snmp_get_do_debugging', 'debugmsgtoken']	4037	4039	snmp_parse_oid	call site: 07017	/src/net-snmp/snmplib/mib.c:6084
2275	4774	6 : View List ['netsnmp_remove_and_free_agent_snmp_session', 'snmp_send', 'snmp_call_callbacks', 'snmp_free_pdu', 'send_easy_trap', 'snmp_increment_statistic']	2275	4774	handle_snmp_packet	call site: 06639	/src/net-snmp/agent/snmp_agent.c:2242
1872	1872	1 : View List ['get_node']	1872	1872	read_objid	call site: 07017	/src/net-snmp/snmplib/mib.c:3007
1859	1859	1 : View List ['_sess_async_send']	1859	1859	snmp_sess_async_send	call site: 04628	/src/net-snmp/snmplib/snmp_api.c:5502
1667	1667	3 : View List ['free', 'strtok_r', 'read_mib']	2447	2457	netsnmp_init_mib	call site: 06225	/src/net-snmp/snmplib/mib.c:2794
1414	1414	6 : View List ['fclose', '_cert_read_index', '_certindex_new', '_add_certfile', 'netsnmp_directory_container_free', 'netsnmp_directory_container_read_some']	2566	2582	_add_certdir	call site: 00914	/src/net-snmp/snmplib/cert_util.c:1639
1292	2421	7 : View List ['debugmsg', 'stat', 'read_config', 'snmp_get_do_debugging', 'debugmsgtoken', 'strncmp', 'strlen']	1292	2421	read_config_files_in_path	call site: 02594	/src/net-snmp/snmplib/read_config.c:1338
912	912	1 : View List ['netsnmp_pdu_stats_process']	1937	6262	netsnmp_wrap_up_request	call site: 06804	/src/net-snmp/agent/snmp_agent.c:1895
707	707	1 : View List ['debugmsg_oid']	770	1172	netsnmp_subtree_unload	call site: 00278	/src/net-snmp/agent/agent_registry.c:1624

Runtime coverage analysis

Covered functions

589

Functions that are reachable but not covered

1273

Reachable functions

1850

Percentage of reachable functions covered

31.19%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
testing/fuzzing/snmp_agent_e2e_fuzzer.c	1
testing/fuzzing/ada_fuzz_header.h	4
agent/snmp_vars.c	6
snmplib/snmp_logging.c	11
snmplib/default_store.c	12
agent/snmp_agent.c	58
snmplib/tools.c	14
snmplib/snmp_debug.c	12
agent/kernel.c	2
agent/agent_registry.c	40
snmplib/snmp_api.c	100
agent/helpers/null.c	3
agent/agent_handler.c	31
agent/helpers/bulk_to_next.c	4
snmplib/snmp_enum.c	15
snmplib/snmp_client.c	22
snmplib/mib.c	69
snmplib/../include/net-snmp/library/tools.h	1
snmplib/callback.c	10
agent/agent_read_config.c	8
snmplib/read_config.c	52
snmplib/strlcpy.c	1
agent/agent_trap.c	27
snmplib/parse.c	75
snmplib/int64.c	9
snmplib/snmp_transport.c	36
snmplib/transports/snmpTLSBaseDomain.c	20