Project overview: openvpn

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 0 0.0%

gold [1:9] 0 0.0%

yellow [10:29] 0 0.0%

greenyellow [30:49] 0 0.0%

lawngreen 50+ 7 100.%

All colors 7 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	0	0.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	7	100.%
All colors	7	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	None	0	0	openvpn_base64_encode	call site: 00001	/src/openvpn/src/openvpn/base64.c:61
0	0	None	0	0	openvpn_base64_encode	call site: 00001	/src/openvpn/src/openvpn/base64.c:66

Runtime coverage analysis

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

71.43%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_base64.c	1
openvpnopenvpn/base64.c	4

Fuzzer: fuzz_misc

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 576 82.1%

gold [1:9] 0 0.0%

yellow [10:29] 0 0.0%

greenyellow [30:49] 0 0.0%

lawngreen 50+ 125 17.8%

All colors 701 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	576	82.1%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	125	17.8%
All colors	701	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	11	2 : View List ['check_malloc_return', 'calloc']	2	11	string_alloc	call site: 00198	/src/openvpn/src/openvpn/buffer.c:703
2	2	3 : View List ['secure_memzero.439', 'free', 'strlen']	2	2	remove_env_item	call site: 00303	/src/openvpn/src/openvpn/env_set.c:115
0	968	1 : View List ['env_set_del']	0	968	setenv_str_ex	call site: 00289	/src/openvpn/src/openvpn/env_set.c:362
0	0	None	2	15	openvpn_base64_decode	call site: 00684	/src/openvpn/src/openvpn/base64.c:167
0	0	None	0	16	format_hex_ex	call site: 00651	/src/openvpn/src/openvpn/buffer.c:542
0	0	None	0	16	format_hex_ex	call site: 00652	/src/openvpn/src/openvpn/buffer.c:546
0	0	None	0	13	alloc_buf_gc	call site: 00246	/src/openvpn/src/openvpn/buffer.c:94
0	0	None	0	9	gc_malloc	call site: 00006	/src/openvpn/src/openvpn/buffer.c:386
0	0	None	0	0	openvpn_base64_decode	call site: 00686	/src/openvpn/src/openvpn/base64.c:179
0	0	None	0	0	openvpn_base64_decode	call site: 00686	/src/openvpn/src/openvpn/base64.c:186
0	0	None	0	0	openvpn_base64_decode	call site: 00686	/src/openvpn/src/openvpn/base64.c:194
0	0	None	0	0	string_alloc	call site: 00197	/src/openvpn/src/openvpn/buffer.c:698

Runtime coverage analysis

194

246

21.14%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_misc.c	1
fuzz_randomizer.cpp	4
openvpnopenvpn/./buffer.h	17
openvpnopenvpn/env_set.c	17
openvpnopenvpn/buffer.c	23
openvpnopenvpn/error.c	9
openvpnopenvpn/./error.h	6
openvpnopenvpn/./status.h	1
openvpnopenvpn/init.c	5
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	8
openvpnopenvpn/route.c	13
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	17
openvpnopenvpn/./networking.h	1
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	11
openvpnopenvpn/./event.h	1
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	4
openvpnopenvpn/./interval.h	1
openvpnopenvpn/sig.c	2
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./integer.h	1
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/options.c	3
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	3
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	1
openvpnopenvpn/otime.c	1
openvpnopenvpn/misc.c	3
openvpnopenvpn/crypto.c	1
openvpnopenvpn/crypto_openssl.c	2
openvpnopenvpn/base64.c	3

Fuzzer: fuzz_list

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 611 91.3%

gold [1:9] 0 0.0%

yellow [10:29] 0 0.0%

greenyellow [30:49] 1 0.14%

lawngreen 50+ 57 8.52%

All colors 669 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	611	91.3%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.14%
lawngreen	50+	57	8.52%
All colors	669	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
3	3	1 : View List ['x_gc_free']	6	6	gc_free	call site: 00314	/src/openvpn/src/openvpn/./buffer.h:1021
0	0	None	969	969	hash_iterator_init_range	call site: 00631	/src/openvpn/src/openvpn/list.c:230
0	0	None	0	0	hash_add	call site: 00647	/src/openvpn/src/openvpn/list.c:161

Runtime coverage analysis

211

247

14.57%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_list.c	2
fuzz_randomizer.cpp	4
openvpnopenvpn/./buffer.h	12
openvpnopenvpn/list.c	16
openvpnopenvpn/error.c	9
openvpnopenvpn/./error.h	5
openvpnopenvpn/buffer.c	20
openvpnopenvpn/./status.h	1
openvpnopenvpn/init.c	5
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	8
openvpnopenvpn/route.c	13
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	17
openvpnopenvpn/./networking.h	1
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	11
openvpnopenvpn/./event.h	1
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	4
openvpnopenvpn/./interval.h	1
openvpnopenvpn/sig.c	2
openvpnopenvpn/env_set.c	14
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./integer.h	1
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/options.c	3
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	3
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	1
openvpnopenvpn/otime.c	1
openvpnopenvpn/./list.h	7

Fuzzer: fuzz_mroute

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 608 83.7%

gold [1:9] 0 0.0%

yellow [10:29] 0 0.0%

greenyellow [30:49] 0 0.0%

lawngreen 50+ 118 16.2%

All colors 726 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	608	83.7%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	118	16.2%
All colors	726	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
971	971	1 : View List ['openvpn_exit']	1940	1940	x_msg_va	call site: 00614	/src/openvpn/src/openvpn/error.c:393
969	969	1 : View List ['usage_small']	969	969	x_msg_va	call site: 00615	/src/openvpn/src/openvpn/error.c:398
4	4	1 : View List ['openvpn_strerror']	1952	4865	x_msg_va	call site: 00029	/src/openvpn/src/openvpn/error.c:278
2	11	2 : View List ['check_malloc_return', 'calloc']	2	11	string_alloc	call site: 00192	/src/openvpn/src/openvpn/buffer.c:703
2	2	1 : View List ['virtual_output_print']	1948	4857	x_msg_va	call site: 00036	/src/openvpn/src/openvpn/error.c:325
2	2	1 : View List ['gettimeofday']	1944	2912	x_msg_va	call site: 00600	/src/openvpn/src/openvpn/error.c:351
2	2	1 : View List ['ntohs']	2	2	mroute_addr_print_ex	call site: 00671	/src/openvpn/src/openvpn/mroute.c:422
0	974	2 : View List ['netbits_to_netmask', 'print_in_addr_t']	2	976	mroute_addr_print_ex	call site: 00667	/src/openvpn/src/openvpn/mroute.c:410
0	968	2 : View List ['x_msg', 'msg_test.575']	1940	2908	x_msg_va	call site: 00612	/src/openvpn/src/openvpn/error.c:388
0	0	None	1952	5872	x_msg_va	call site: 00015	/src/openvpn/src/openvpn/error.c:253
0	0	None	1952	4891	x_msg_va	call site: 00018	/src/openvpn/src/openvpn/error.c:265
0	0	None	1948	4861	x_msg_va	call site: 00032	/src/openvpn/src/openvpn/error.c:285

Runtime coverage analysis

193

248

22.18%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_mroute.c	1
fuzz_randomizer.cpp	4
openvpnopenvpn/./buffer.h	15
openvpnopenvpn/buffer.c	23
openvpnopenvpn/error.c	9
openvpnopenvpn/./error.h	5
openvpnopenvpn/./status.h	1
openvpnopenvpn/init.c	5
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	8
openvpnopenvpn/route.c	13
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	17
openvpnopenvpn/./networking.h	1
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	11
openvpnopenvpn/./event.h	1
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	4
openvpnopenvpn/./interval.h	1
openvpnopenvpn/sig.c	2
openvpnopenvpn/env_set.c	14
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./integer.h	1
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/options.c	3
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	3
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	1
openvpnopenvpn/otime.c	1
openvpnopenvpn/mroute.c	19

Fuzzer: fuzz_dhcp

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 622 96.2%

gold [1:9] 0 0.0%

yellow [10:29] 0 0.0%

greenyellow [30:49] 0 0.0%

lawngreen 50+ 24 3.71%

All colors 646 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	622	96.2%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	24	3.71%
All colors	646	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique Reachable Functions	Function Name	Function Callsite	Blocked Branch
None	buf_write	call site: 00626	/src/openvpn/src/openvpn/./buffer.h:689
None	buf_write_alloc	call site: 00627	/src/openvpn/src/openvpn/./buffer.h:656
None	buf_bptr	call site: 00253	/src/openvpn/src/openvpn/./buffer.h:242
None	buf_len	call site: 00632	/src/openvpn/src/openvpn/./buffer.h:255

Runtime coverage analysis

216

231

6.49%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_dhcp.c	1
fuzz_randomizer.cpp	3
openvpnopenvpn/buffer.c	21
openvpnopenvpn/./buffer.h	16
openvpnopenvpn/./error.h	5
openvpnopenvpn/error.c	9
openvpnopenvpn/./status.h	1
openvpnopenvpn/init.c	5
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	8
openvpnopenvpn/route.c	13
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	17
openvpnopenvpn/./networking.h	1
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	11
openvpnopenvpn/./event.h	1
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	4
openvpnopenvpn/./interval.h	1
openvpnopenvpn/sig.c	2
openvpnopenvpn/env_set.c	14
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./integer.h	1
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/options.c	3
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	3
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	1
openvpnopenvpn/otime.c	1
openvpnopenvpn/dhcp.c	3
openvpnopenvpn/proto.c	1

Fuzzer: fuzz_packet_id

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 650 84.8%

gold [1:9] 0 0.0%

yellow [10:29] 0 0.0%

greenyellow [30:49] 1 0.13%

lawngreen 50+ 115 15.0%

All colors 766 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	650	84.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.13%
lawngreen	50+	115	15.0%
All colors	766	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
968	968	2 : View List ['x_msg', 'msg_test.2355']	968	970	packet_id_persist_close	call site: 00760	/src/openvpn/src/openvpn/packet_id.c:423
2	11	2 : View List ['check_malloc_return', 'calloc']	2	11	string_alloc	call site: 00189	/src/openvpn/src/openvpn/buffer.c:703
2	2	1 : View List ['_exit']	970	970	packet_id_persist_load	call site: 00723	/src/openvpn/src/openvpn/packet_id.c:454
0	3	1 : View List ['x_gc_free']	3	6	gc_free	call site: 00309	/src/openvpn/src/openvpn/./buffer.h:1021
0	0	None	968	968	packet_id_persist_load	call site: 00719	/src/openvpn/src/openvpn/packet_id.c:442
0	0	None	968	968	packet_id_persist_save	call site: 00747	/src/openvpn/src/openvpn/packet_id.c:495
0	0	None	968	968	packet_id_persist_save	call site: 00748	/src/openvpn/src/openvpn/packet_id.c:498
0	0	None	4	30	packet_id_write	call site: 00679	/src/openvpn/src/openvpn/packet_id.c:352
0	0	None	0	9	gc_malloc	call site: 00017	/src/openvpn/src/openvpn/buffer.c:386
0	0	None	0	0	string_alloc	call site: 00188	/src/openvpn/src/openvpn/buffer.c:698
0	0	None	0	0	buf_set_write	call site: 00676	/src/openvpn/src/openvpn/./buffer.h:333
0	0	None	0	0	buf_bptr	call site: 00249	/src/openvpn/src/openvpn/./buffer.h:242

Runtime coverage analysis

217

266

18.42%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_packet_id.c	1
fuzz_randomizer.cpp	4
openvpnopenvpn/packet_id.c	15
openvpnopenvpn/./error.h	5
openvpnopenvpn/error.c	9
openvpnopenvpn/./buffer.h	21
openvpnopenvpn/buffer.c	21
openvpnopenvpn/./status.h	1
openvpnopenvpn/init.c	5
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	8
openvpnopenvpn/route.c	13
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	17
openvpnopenvpn/./networking.h	1
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	11
openvpnopenvpn/./event.h	1
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	4
openvpnopenvpn/./interval.h	1
openvpnopenvpn/sig.c	2
openvpnopenvpn/env_set.c	14
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./integer.h	3
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/options.c	3
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	4
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	1
openvpnopenvpn/otime.c	2
openvpnopenvpn/./otime.h	1
openvpnopenvpn/./packet_id.h	2
openvpnopenvpn/./fuzz_header.h	1

Fuzzer: fuzz_proxy

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 1814 88.1%

gold [1:9] 91 4.42%

yellow [10:29] 55 2.67%

greenyellow [30:49] 3 0.14%

lawngreen 50+ 94 4.56%

All colors 2057 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	1814	88.1%
gold	[1:9]	91	4.42%
yellow	[10:29]	55	2.67%
greenyellow	[30:49]	3	0.14%
lawngreen	50+	94	4.56%
All colors	2057	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
3015	3015	2 : View List ['cipher_des_encrypt_ecb', 'create_des_keys']	3021	4006	ntlm_phase_3	call site: 01844	/src/openvpn/src/openvpn/ntlm.c:284
2284	2284	1 : View List ['get_user_pass_http']	33596	60882	establish_http_proxy_passthru	call site: 00644	/src/openvpn/src/openvpn/proxy.c:653
968	1955	3 : View List ['msg_test.3004', 'x_msg', 'send_line_crlf']	968	1955	add_proxy_headers	call site: 01737	/src/openvpn/src/openvpn/proxy.c:618
968	968	2 : View List ['x_msg', 'msg_test.10183']	976	5017	ntlm_phase_3	call site: 01848	/src/openvpn/src/openvpn/ntlm.c:291
968	968	2 : View List ['msg_test.3004', 'x_msg']	974	974	establish_http_proxy_passthru	call site: 02044	/src/openvpn/src/openvpn/proxy.c:1043
968	968	2 : View List ['msg_test.3004', 'x_msg']	968	968	send_line	call site: 01725	/src/openvpn/src/openvpn/proxy.c:201
968	968	2 : View List ['msg_test.3004', 'x_msg']	968	968	recv_line	call site: 01783	/src/openvpn/src/openvpn/proxy.c:122
968	968	2 : View List ['msg_test.3004', 'x_msg']	968	968	recv_line	call site: 01790	/src/openvpn/src/openvpn/proxy.c:166
0	0	None	30344	56643	establish_http_proxy_passthru	call site: 01717	/src/openvpn/src/openvpn/proxy.c:677
0	0	None	30344	55637	establish_http_proxy_passthru	call site: 01727	/src/openvpn/src/openvpn/proxy.c:682
0	0	None	26458	49777	establish_http_proxy_passthru	call site: 01759	/src/openvpn/src/openvpn/proxy.c:709
0	0	None	24522	45886	establish_http_proxy_passthru	call site: 01768	/src/openvpn/src/openvpn/proxy.c:718

Runtime coverage analysis

461

543

15.1%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_proxy.c	1
fuzz_randomizer.cpp	6
openvpnopenvpn/./buffer.h	30
openvpnopenvpn/buffer.c	39
openvpnopenvpn/./error.h	7
openvpnopenvpn/error.c	14
openvpnopenvpn/./status.h	1
openvpnopenvpn/init.c	5
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	8
openvpnopenvpn/route.c	13
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	17
openvpnopenvpn/./networking.h	1
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	93
openvpnopenvpn/./event.h	4
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	17
openvpnopenvpn/./interval.h	3
openvpnopenvpn/sig.c	8
openvpnopenvpn/env_set.c	14
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./integer.h	6
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/options.c	5
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	6
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	3
openvpnopenvpn/otime.c	2
openvpnopenvpn/proxy.c	15
openvpnopenvpn/misc.c	5
openvpnopenvpn/./misc.h	1
openvpnopenvpn/./manage.h	3
openvpnopenvpn/./sig.h	1
openvpnopenvpn/./otime.h	2
openvpnopenvpn/fdmisc.c	4
openvpnopenvpn/./socket.h	3
openvpnopenvpn/ssl.c	3
openvpnopenvpn/status.c	3
openvpnopenvpn/crypto_openssl.c	18
openvpnopenvpn/crypto.c	2
openvpnopenvpn/./console.h	2
openvpnopenvpn/console.c	2
openvpnopenvpn/console_builtin.c	4
openvpnopenvpn/./fuzz_header.h	7
openvpnopenvpn/base64.c	4
openvpnopenvpn/ntlm.c	10
openvpnopenvpn/forward.c	1
openvpnopenvpn/./fdmisc.h	1
openvpnopenvpn/./openssl_compat.h	2
openvpnopenvpn/httpdigest.c	3

Fuzzer: fuzz_route

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 1410 73.8%

gold [1:9] 6 0.31%

yellow [10:29] 13 0.68%

greenyellow [30:49] 12 0.62%

lawngreen 50+ 468 24.5%

All colors 1909 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	1410	73.8%
gold	[1:9]	6	0.31%
yellow	[10:29]	13	0.68%
greenyellow	[30:49]	12	0.62%
lawngreen	50+	468	24.5%
All colors	1909	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4015	4015	9 : View List ['__errno_location', '__res_init', 'assert_failed', 'management_sleep', 'getaddrinfo', 'freeaddrinfo', 'signal_reset', 'gai_strerror', 'get_signal.4308']	4021	7893	openvpn_getaddrinfo	call site: 01656	/src/openvpn/src/openvpn/socket.c:613
2071	2071	1 : View List ['management_set_state']	6092	9964	openvpn_getaddrinfo	call site: 00836	/src/openvpn/src/openvpn/socket.c:533
2071	2071	1 : View List ['management_set_state']	2071	6971	add_routes	call site: 01754	/src/openvpn/src/openvpn/route.c:1197
1002	1002	3 : View List ['print_bypass_addresses', 'add_block_local', 'get_bypass_addresses']	1004	4085	init_route_list	call site: 01687	/src/openvpn/src/openvpn/route.c:697
971	4857	9 : View List ['x_msg', 'msg_test.3638', 'gc_free.3640', 'print_in6_addr', 'net_ctx_reset.3641', 'argv_free', 'gc_new.3635', 'argv_new', 'net_route_v6_del']	971	4857	delete_route_ipv6	call site: 00521	/src/openvpn/src/openvpn/route.c:2337
971	2934	10 : View List ['x_msg', 'msg_test.3638', 'gc_free.3640', 'net_ctx_reset.3641', 'netmask_to_netbits2', 'net_route_v4_del', 'argv_free', 'local_route', 'gc_new.3635', 'argv_new']	971	2934	delete_route	call site: 00457	/src/openvpn/src/openvpn/route.c:2158
971	971	1 : View List ['openvpn_exit']	1940	1940	x_msg_va	call site: 00587	/src/openvpn/src/openvpn/error.c:393
969	969	1 : View List ['usage_small']	969	969	x_msg_va	call site: 00588	/src/openvpn/src/openvpn/error.c:398
4	4	1 : View List ['constrain_int']	4	4	set_debug_level	call site: 00019	/src/openvpn/src/openvpn/error.c:111
2	970	3 : View List ['x_msg', '_exit', 'msg_test.3638']	2	1941	print_route_options	call site: 01887	/src/openvpn/src/openvpn/route.c:1313
2	970	3 : View List ['x_msg', 'close', 'msg_test.1781']	2	970	sitnl_socket	call site: 00109	/src/openvpn/src/openvpn/networking_sitnl.c:177
2	11	2 : View List ['check_malloc_return', 'calloc']	2	11	string_alloc	call site: 00025	/src/openvpn/src/openvpn/buffer.c:703

Runtime coverage analysis

148

355

503

29.42%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_route.c	1
fuzz_randomizer.cpp	8
openvpnopenvpn/./buffer.h	29
openvpnopenvpn/env_set.c	19
openvpnopenvpn/buffer.c	37
openvpnopenvpn/error.c	15
openvpnopenvpn/options.c	8
openvpnopenvpn/./networking.h	2
openvpnopenvpn/init.c	11
openvpnopenvpn/./integer.h	5
openvpnopenvpn/./error.h	7
openvpnopenvpn/./status.h	1
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	9
openvpnopenvpn/route.c	48
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	21
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	91
openvpnopenvpn/./event.h	4
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	20
openvpnopenvpn/./interval.h	2
openvpnopenvpn/sig.c	7
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	5
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	3
openvpnopenvpn/otime.c	2
openvpnopenvpn/dns.c	4
openvpnopenvpn/packet_id.c	1
openvpnopenvpn/misc.c	2
openvpnopenvpn/crypto.c	1
openvpnopenvpn/crypto_openssl.c	3
openvpnopenvpn/./otime.h	1
openvpnopenvpn/./socket.h	3
openvpnopenvpn/./manage.h	2
openvpnopenvpn/fdmisc.c	4
openvpnopenvpn/ssl.c	3
openvpnopenvpn/status.c	3
openvpnopenvpn/./sig.h	1

Fuzzer: fuzz_buffer

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 683 88.3%

gold [1:9] 84 10.8%

yellow [10:29] 4 0.51%

greenyellow [30:49] 1 0.12%

lawngreen 50+ 1 0.12%

All colors 773 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	683	88.3%
gold	[1:9]	84	10.8%
yellow	[10:29]	4	0.51%
greenyellow	[30:49]	1	0.12%
lawngreen	50+	1	0.12%
All colors	773	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
14	14	1 : View List ['__ctype_b_loc']	14	14	char_class	call site: 00273	/src/openvpn/src/openvpn/buffer.c:929
0	10	2 : View List ['buf_bptr', 'buf_len']	0	10	buf_blast	call site: 00640	/src/openvpn/src/openvpn/./buffer.h:274
0	0	None	14	14	char_class	call site: 00273	/src/openvpn/src/openvpn/buffer.c:925
0	0	None	12	131	buf_chomp	call site: 00647	/src/openvpn/src/openvpn/buffer.c:605
0	0	None	4	4	rm_trailing_chars	call site: 00667	/src/openvpn/src/openvpn/buffer.c:679
0	0	None	0	19	buf_null_terminate	call site: 00653	/src/openvpn/src/openvpn/buffer.c:587
0	0	None	0	13	alloc_buf_gc	call site: 00010	/src/openvpn/src/openvpn/buffer.c:94
0	0	None	0	9	gc_malloc	call site: 00025	/src/openvpn/src/openvpn/buffer.c:386
0	0	None	0	2	buffer_list_pop	call site: 00753	/src/openvpn/src/openvpn/buffer.c:1355
0	0	None	0	0	convert_to_one_line	call site: 00724	/src/openvpn/src/openvpn/buffer.c:337
0	0	None	0	0	buf_null_terminate	call site: 00652	/src/openvpn/src/openvpn/buffer.c:582
0	0	None	0	0	buf_bptr	call site: 00251	/src/openvpn/src/openvpn/./buffer.h:242

Runtime coverage analysis

222

267

16.85%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_buffer.c	1
fuzz_randomizer.cpp	4
openvpnopenvpn/./buffer.h	29
openvpnopenvpn/buffer.c	41
openvpnopenvpn/./error.h	5
openvpnopenvpn/error.c	9
openvpnopenvpn/./status.h	1
openvpnopenvpn/init.c	5
openvpnopenvpn/./tun.h	1
openvpnopenvpn/./options.h	1
openvpnopenvpn/tun.c	8
openvpnopenvpn/route.c	13
openvpnopenvpn/./route.h	1
openvpnopenvpn/networking_sitnl.c	17
openvpnopenvpn/./networking.h	1
openvpnopenvpn/dco_linux.c	2
openvpnopenvpn/manage.c	11
openvpnopenvpn/./event.h	1
openvpnopenvpn/./syshead.h	1
openvpnopenvpn/socket.c	4
openvpnopenvpn/./interval.h	1
openvpnopenvpn/sig.c	2
openvpnopenvpn/env_set.c	14
openvpnopenvpn/plugin.c	8
openvpnopenvpn/argv.c	16
openvpnopenvpn/./integer.h	1
openvpnopenvpn/./plugin.h	3
openvpnopenvpn/run_command.c	5
openvpnopenvpn/./env_set.h	2
openvpnopenvpn/options.c	3
openvpnopenvpn/./run_command.h	1
openvpnopenvpn/platform.c	3
openvpnopenvpn/ps.c	2
openvpnopenvpn/mstats.c	1
openvpnopenvpn/./perf.h	1
openvpnopenvpn/otime.c	1

Fuzzer: fuzz_verify_cert

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 906 91.0%

gold [1:9] 4 0.40%

yellow [10:29] 0 0.0%

greenyellow [30:49] 12 1.20%

lawngreen 50+ 73 7.33%

All colors 995 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	906	91.0%
gold	[1:9]	4	0.40%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	12	1.20%
lawngreen	50+	73	7.33%
All colors	995	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
11083	11083	15 : View List ['memcmp_constant_time', 'verify_cert_call_command', 'buf_len.6432', 'tls_verify_crl_missing', 'set_common_name', 'x509_get_sha1_fingerprint', 'setenv_untrusted', 'x509_get_sha256_fingerprint', 'verify_cert_set_env', 'verify_cert_call_plugin', 'verify_peer_cert', 'max_int.6544', 'buf_bptr.6434', 'verify_check_crl_dir', 'format_hex_ex']	14955	14955	verify_cert	call site: 00671	/src/openvpn/src/openvpn/ssl_verify.c:704
0	0	None	18827	20794	verify_cert	call site: 00665	/src/openvpn/src/openvpn/ssl_verify.c:677
0	0	None	16891	17859	verify_cert	call site: 00649	/src/openvpn/src/openvpn/ssl_verify.c:665
0	0	None	15923	16891	verify_cert	call site: 00668	/src/openvpn/src/openvpn/ssl_verify.c:693
0	0	None	14	14	char_class	call site: 00289	/src/openvpn/src/openvpn/buffer.c:925
0	0	None	8	8	extract_x509_field_ssl	call site: 00657	/src/openvpn/src/openvpn/ssl_verify_openssl.c:236
0	0	None	6	6	extract_x509_field_ssl	call site: 00658	/src/openvpn/src/openvpn/ssl_verify_openssl.c:242
0	0	None	2	2	x509_get_subject	call site: 00637	/src/openvpn/src/openvpn/ssl_verify_openssl.c:353
0	0	None	0	13	alloc_buf_gc	call site: 00255	/src/openvpn/src/openvpn/buffer.c:94
0	0	None	0	9	gc_malloc	call site: 00008	/src/openvpn/src/openvpn/buffer.c:386
0	0	None	0	0	init_session	call site: 00008	/src/fuzz_verify_cert.c:119
0	0	1 : View List ['free']	0	0	init_session	call site: 00016	/src/fuzz_verify_cert.c:130

Runtime coverage analysis

300

338