Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: usrsctp
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzzer_listen
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzzer_fragment
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzzer/fuzzer_listen.c
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzzer_connect
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzzer/fuzzer_fragment.c
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzzer/fuzzer_connect.c
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzzer/fuzzer_connect.c
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzzer/fuzzer_listen.c
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
fuzzer/fuzzer_listen.c
Dictionary
Fuzzer function priority
fuzzer/fuzzer_fragment.c
Dictionary
Fuzzer function priority
fuzzer/fuzzer_listen.c
Dictionary
Fuzzer function priority
fuzzer/fuzzer_connect.c
Dictionary
Fuzzer function priority
fuzzer/fuzzer_fragment.c
Dictionary
Fuzzer function priority
fuzzer/fuzzer_connect.c
Dictionary
Fuzzer function priority
fuzzer/fuzzer_connect.c
Dictionary
Fuzzer function priority
fuzzer/fuzzer_listen.c
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2025-08-26

Project overview: usrsctp

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
66.0%
595 / 897
Cyclomatic complexity statically reachable by fuzzers
89.0%
16641 / 18649
Runtime code coverage of functions
28.9%
258 / 897

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzzer_listen fuzzer/fuzzer_listen.c 579 354 27 25 36596 13709 fuzzer_listen.c
fuzzer_fragment fuzzer/fuzzer_fragment.c 612 318 27 25 44263 16422 fuzzer_fragment.c
fuzzer/fuzzer_listen.c fuzzer/fuzzer_listen.c 586 365 27 26 36650 13741 fuzzer_listen.c
fuzzer_connect fuzzer/fuzzer_connect.c 613 318 27 25 44288 16433 fuzzer_connect.c
fuzzer/fuzzer_fragment.c fuzzer/fuzzer_fragment.c 611 337 27 25 44258 16419 fuzzer_fragment.c
fuzzer/fuzzer_connect.c fuzzer/fuzzer_connect.c 632 317 27 26 44514 16518 fuzzer_connect.c
fuzzer/fuzzer_connect.c fuzzer/fuzzer_connect.c 611 337 27 25 44283 16429 fuzzer_connect.c
fuzzer/fuzzer_listen.c fuzzer/fuzzer_listen.c 577 373 27 25 36601 13710 fuzzer_listen.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzzer_listen

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4801 88.5%
gold [1:9] 309 5.69%
yellow [10:29] 12 0.22%
greenyellow [30:49] 9 0.16%
lawngreen 50+ 292 5.38%
All colors 5423 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
114239 131878 41 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'pthread_mutex_unlock', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'terminate_non_graceful.255', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

114239 132181 sctp_process_control call site: 02329 /src/usrsctp/usrsctplib/netinet/sctp_input.c:4853
109212 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

109224 127166 sctp_process_control call site: 03597 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
4969 4969 2 :

['sctp_chunk_output', 'sctp_send_shutdown_ack']

4969 4969 sctp_handle_init call site: 02437 /src/usrsctp/usrsctplib/netinet/sctp_input.c:163
698 698 1 :

['sctp_source_address_selection']

714 3435 sctp_send_initiate_ack call site: 02493 /src/usrsctp/usrsctplib/netinet/sctp_output.c:6152
130 130 2 :

['sctp_is_address_in_scope', 'sctp_add_addr_to_mbuf']

132 132 sctp_add_addresses_to_i_ia call site: 01533 /src/usrsctp/usrsctplib/netinet/sctp_output.c:2230
30 30 1 :

['m_tag_delete']

30 30 m_tag_delete_chain call site: 00125 /src/usrsctp/usrsctplib/user_mbuf.c:708
8 8 3 :

['pthread_mutex_lock', 'pthread_mutex_unlock', 'terminate_non_graceful.1232']

8 8 sctp_setopt call site: 05072 /src/usrsctp/usrsctplib/netinet/sctp_usrreq.c:7072
4 4 2 :

['exit', 'perror']

4 4 init_fuzzer call site: 05273 /src/usrsctp/fuzzer/fuzzer_listen.c:149
2 2 1 :

['pthread_rwlock_rdlock']

4 174 sctp_pcb_findep call site: 02094 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:2139
2 2 1 :

['__errno_location']

2 2 usrsctp_set_non_blocking call site: 04411 /src/usrsctp/usrsctplib/user_socket.c:1821
2 2 1 :

['__errno_location']

2 2 usrsctp_setsockopt call site: 04454 /src/usrsctp/usrsctplib/user_socket.c:2130
2 2 1 :

['__errno_location']

2 2 usrsctp_set_upcall call site: 05321 /src/usrsctp/usrsctplib/user_socket.c:3366

Runtime coverage analysis

Covered functions
154
Functions that are reachable but not covered
429
Reachable functions
579
Percentage of reachable functions covered
25.91%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_listen.c 5
usrsctplib/user_socket.c 43
usrsctplib/netinet/sctp_usrreq.c 15
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 79
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 69
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 30
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 4
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1

Fuzzer: fuzzer_fragment

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 5268 82.3%
gold [1:9] 109 1.70%
yellow [10:29] 2 0.03%
greenyellow [30:49] 4 0.06%
lawngreen 50+ 1015 15.8%
All colors 6398 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
83866 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

83878 127166 sctp_process_control call site: 03597 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
5179 15742 7 :

['sctp_abort_an_association', 'sctp_send_shutdown', 'sctp_timer_start', 'sctp_generate_cause', 'sctp_is_there_unsent_data', 'sctp_add_substate', 'sctp_stop_timers_for_shutdown']

5197 35381 sctp_lower_sosend call site: 05846 /src/usrsctp/usrsctplib/netinet/sctp_output.c:14697
4912 4912 1 :

['sctp_handle_ootb']

4912 5013 sctp_process_control call site: 02329 /src/usrsctp/usrsctplib/netinet/sctp_input.c:4853
4906 5053 3 :

['sctp_generate_cause', 'sctp_abort_association', 'm_freem']

4906 5053 sctp_process_init_ack call site: 02646 /src/usrsctp/usrsctplib/netinet/sctp_input.c:487
4906 5007 2 :

['sctp_generate_cause', 'sctp_abort_association']

4906 5007 sctp_handle_init_ack call site: 02595 /src/usrsctp/usrsctplib/netinet/sctp_input.c:1371
4898 4898 1 :

['sctp_user_rcvd']

4906 4927 sctp_sorecvmsg call site: 05408 /src/usrsctp/usrsctplib/netinet/sctputil.c:7088
1380 2848 8 :

['sctp_ulp_notify', 'terminate_non_graceful.255', 'sctp_free_bufspace', 'sctp_auth_key_release', 'm_freem', 'pthread_mutex_trylock', 'sctp_free_ifa', 'sctp_userspace_rtfree']

1384 4268 sctp_process_init call site: 02622 /src/usrsctp/usrsctplib/netinet/sctp_input.c:279
714 714 1 :

['sctp_send_ecn_echo']

732 10470 sctp_common_input_processing call site: 04093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:6137
682 750 5 :

['sctp_auth_key_release', 'free', 'sctp_userspace_rtfree', 'sctp_free_ifa', 'm_freem']

682 750 sctp_is_there_unsent_data call site: 01093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:211
602 602 2 :

['sctp_send_shutdown_complete2', 'sctp_send_abort']

620 5590 sctp_common_input_processing call site: 02259 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5863
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

549 29775 sctp_handle_cookie_ack call site: 02363 /src/usrsctp/usrsctplib/netinet/sctp_input.c:3187
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

350 54498 sctp_inpcb_free call site: 00592 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:3809

Runtime coverage analysis

Covered functions
247
Functions that are reachable but not covered
379
Reachable functions
612
Percentage of reachable functions covered
38.07%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_fragment.c 4
usrsctplib/user_socket.c 49
usrsctplib/netinet/sctp_usrreq.c 22
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 85
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 82
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 33
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 5
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1

Fuzzer: fuzzer/fuzzer_listen.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4333 79.7%
gold [1:9] 137 2.52%
yellow [10:29] 2 0.03%
greenyellow [30:49] 6 0.11%
lawngreen 50+ 956 17.5%
All colors 5434 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
78283 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

78295 127166 sctp_process_control call site: 03597 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
5179 15742 7 :

['sctp_abort_an_association', 'sctp_send_shutdown', 'sctp_timer_start', 'sctp_generate_cause', 'sctp_is_there_unsent_data', 'sctp_add_substate', 'sctp_stop_timers_for_shutdown']

5197 35381 sctp_lower_sosend call site: 00000 /src/usrsctp/usrsctplib/netinet/sctp_output.c:14697
4906 5053 3 :

['sctp_generate_cause', 'sctp_abort_association', 'm_freem']

4906 5053 sctp_process_init_ack call site: 02646 /src/usrsctp/usrsctplib/netinet/sctp_input.c:487
4906 5007 2 :

['sctp_generate_cause', 'sctp_abort_association']

4906 5007 sctp_handle_init_ack call site: 02595 /src/usrsctp/usrsctplib/netinet/sctp_input.c:1371
4898 4898 1 :

['sctp_user_rcvd']

4906 4927 sctp_sorecvmsg call site: 00000 /src/usrsctp/usrsctplib/netinet/sctputil.c:7088
1380 2848 8 :

['sctp_ulp_notify', 'terminate_non_graceful.255', 'sctp_free_bufspace', 'sctp_auth_key_release', 'm_freem', 'pthread_mutex_trylock', 'sctp_free_ifa', 'sctp_userspace_rtfree']

1384 4268 sctp_process_init call site: 02622 /src/usrsctp/usrsctplib/netinet/sctp_input.c:279
714 714 1 :

['sctp_send_ecn_echo']

732 10470 sctp_common_input_processing call site: 04093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:6137
698 698 1 :

['sctp_source_address_selection']

714 3435 sctp_send_initiate_ack call site: 02493 /src/usrsctp/usrsctplib/netinet/sctp_output.c:6152
682 750 5 :

['sctp_auth_key_release', 'free', 'sctp_userspace_rtfree', 'sctp_free_ifa', 'm_freem']

682 750 sctp_is_there_unsent_data call site: 01093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:211
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

549 29775 sctp_handle_cookie_ack call site: 02363 /src/usrsctp/usrsctplib/netinet/sctp_input.c:3187
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

350 54498 sctp_inpcb_free call site: 00592 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:3809
294 294 1 :

['sctp_notify_authentication']

296 296 sctp_ulp_notify call site: 00367 /src/usrsctp/usrsctplib/netinet/sctputil.c:4302

Runtime coverage analysis

Covered functions
264
Functions that are reachable but not covered
354
Reachable functions
586
Percentage of reachable functions covered
39.59%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_listen.c 5
usrsctplib/user_socket.c 45
usrsctplib/netinet/sctp_usrreq.c 15
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 79
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 69
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 30
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 4
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1
programs/programs_helper.c 1

Fuzzer: fuzzer_connect

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 5211 81.2%
gold [1:9] 104 1.62%
yellow [10:29] 2 0.03%
greenyellow [30:49] 6 0.09%
lawngreen 50+ 1091 17.0%
All colors 6414 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
78283 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

78295 127166 sctp_process_control call site: 03597 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
5179 15742 7 :

['sctp_abort_an_association', 'sctp_send_shutdown', 'sctp_timer_start', 'sctp_generate_cause', 'sctp_is_there_unsent_data', 'sctp_add_substate', 'sctp_stop_timers_for_shutdown']

5197 35381 sctp_lower_sosend call site: 05852 /src/usrsctp/usrsctplib/netinet/sctp_output.c:14697
4906 5053 3 :

['sctp_generate_cause', 'sctp_abort_association', 'm_freem']

4906 5053 sctp_process_init_ack call site: 02646 /src/usrsctp/usrsctplib/netinet/sctp_input.c:487
4906 5007 2 :

['sctp_generate_cause', 'sctp_abort_association']

4906 5007 sctp_handle_init_ack call site: 02595 /src/usrsctp/usrsctplib/netinet/sctp_input.c:1371
4898 4898 1 :

['sctp_user_rcvd']

4906 4927 sctp_sorecvmsg call site: 05414 /src/usrsctp/usrsctplib/netinet/sctputil.c:7088
1380 2848 8 :

['sctp_ulp_notify', 'terminate_non_graceful.255', 'sctp_free_bufspace', 'sctp_auth_key_release', 'm_freem', 'pthread_mutex_trylock', 'sctp_free_ifa', 'sctp_userspace_rtfree']

1384 4268 sctp_process_init call site: 02622 /src/usrsctp/usrsctplib/netinet/sctp_input.c:279
714 714 1 :

['sctp_send_ecn_echo']

732 10470 sctp_common_input_processing call site: 04093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:6137
698 698 1 :

['sctp_source_address_selection']

714 3435 sctp_send_initiate_ack call site: 02493 /src/usrsctp/usrsctplib/netinet/sctp_output.c:6152
682 750 5 :

['sctp_auth_key_release', 'free', 'sctp_userspace_rtfree', 'sctp_free_ifa', 'm_freem']

682 750 sctp_is_there_unsent_data call site: 01093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:211
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

549 29775 sctp_handle_cookie_ack call site: 02363 /src/usrsctp/usrsctplib/netinet/sctp_input.c:3187
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

350 54498 sctp_inpcb_free call site: 00592 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:3809
294 294 1 :

['sctp_notify_authentication']

296 296 sctp_ulp_notify call site: 00367 /src/usrsctp/usrsctplib/netinet/sctputil.c:4302

Runtime coverage analysis

Covered functions
264
Functions that are reachable but not covered
369
Reachable functions
613
Percentage of reachable functions covered
39.8%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_connect.c 5
usrsctplib/user_socket.c 49
usrsctplib/netinet/sctp_usrreq.c 22
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 85
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 82
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 33
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 5
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1

Fuzzer: fuzzer/fuzzer_fragment.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 5163 80.7%
gold [1:9] 111 1.73%
yellow [10:29] 2 0.03%
greenyellow [30:49] 6 0.09%
lawngreen 50+ 1115 17.4%
All colors 6397 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
78283 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

78295 127166 sctp_process_control call site: 03597 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
5179 15742 7 :

['sctp_abort_an_association', 'sctp_send_shutdown', 'sctp_timer_start', 'sctp_generate_cause', 'sctp_is_there_unsent_data', 'sctp_add_substate', 'sctp_stop_timers_for_shutdown']

5197 35381 sctp_lower_sosend call site: 05845 /src/usrsctp/usrsctplib/netinet/sctp_output.c:14697
4906 5053 3 :

['sctp_generate_cause', 'sctp_abort_association', 'm_freem']

4906 5053 sctp_process_init_ack call site: 02646 /src/usrsctp/usrsctplib/netinet/sctp_input.c:487
4906 5007 2 :

['sctp_generate_cause', 'sctp_abort_association']

4906 5007 sctp_handle_init_ack call site: 02595 /src/usrsctp/usrsctplib/netinet/sctp_input.c:1371
4898 4898 1 :

['sctp_user_rcvd']

4906 4927 sctp_sorecvmsg call site: 05408 /src/usrsctp/usrsctplib/netinet/sctputil.c:7088
1380 2848 8 :

['sctp_ulp_notify', 'terminate_non_graceful.255', 'sctp_free_bufspace', 'sctp_auth_key_release', 'm_freem', 'pthread_mutex_trylock', 'sctp_free_ifa', 'sctp_userspace_rtfree']

1384 4268 sctp_process_init call site: 02622 /src/usrsctp/usrsctplib/netinet/sctp_input.c:279
714 714 1 :

['sctp_send_ecn_echo']

732 10470 sctp_common_input_processing call site: 04093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:6137
698 698 1 :

['sctp_source_address_selection']

714 3435 sctp_send_initiate_ack call site: 02493 /src/usrsctp/usrsctplib/netinet/sctp_output.c:6152
682 750 5 :

['sctp_auth_key_release', 'free', 'sctp_userspace_rtfree', 'sctp_free_ifa', 'm_freem']

682 750 sctp_is_there_unsent_data call site: 01093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:211
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

549 29775 sctp_handle_cookie_ack call site: 02363 /src/usrsctp/usrsctplib/netinet/sctp_input.c:3187
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

350 54498 sctp_inpcb_free call site: 00592 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:3809
294 294 1 :

['sctp_notify_authentication']

296 296 sctp_ulp_notify call site: 00367 /src/usrsctp/usrsctplib/netinet/sctputil.c:4302

Runtime coverage analysis

Covered functions
264
Functions that are reachable but not covered
368
Reachable functions
611
Percentage of reachable functions covered
39.77%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_fragment.c 4
usrsctplib/user_socket.c 49
usrsctplib/netinet/sctp_usrreq.c 22
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 85
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 82
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 33
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 5
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1

Fuzzer: fuzzer/fuzzer_connect.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 5319 81.5%
gold [1:9] 104 1.59%
yellow [10:29] 2 0.03%
greenyellow [30:49] 6 0.09%
lawngreen 50+ 1092 16.7%
All colors 6523 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
78283 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

78295 127166 sctp_process_control call site: 03603 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
5179 15742 7 :

['sctp_abort_an_association', 'sctp_send_shutdown', 'sctp_timer_start', 'sctp_generate_cause', 'sctp_is_there_unsent_data', 'sctp_add_substate', 'sctp_stop_timers_for_shutdown']

5197 35381 sctp_lower_sosend call site: 05956 /src/usrsctp/usrsctplib/netinet/sctp_output.c:14697
4906 5053 3 :

['sctp_generate_cause', 'sctp_abort_association', 'm_freem']

4906 5053 sctp_process_init_ack call site: 02652 /src/usrsctp/usrsctplib/netinet/sctp_input.c:487
4906 5007 2 :

['sctp_generate_cause', 'sctp_abort_association']

4906 5007 sctp_handle_init_ack call site: 02601 /src/usrsctp/usrsctplib/netinet/sctp_input.c:1371
4898 4898 1 :

['sctp_user_rcvd']

4906 4927 sctp_sorecvmsg call site: 05436 /src/usrsctp/usrsctplib/netinet/sctputil.c:7088
1380 2848 8 :

['sctp_ulp_notify', 'terminate_non_graceful.255', 'sctp_free_bufspace', 'sctp_auth_key_release', 'm_freem', 'pthread_mutex_trylock', 'sctp_free_ifa', 'sctp_userspace_rtfree']

1384 4268 sctp_process_init call site: 02628 /src/usrsctp/usrsctplib/netinet/sctp_input.c:279
714 714 1 :

['sctp_send_ecn_echo']

732 10470 sctp_common_input_processing call site: 04099 /src/usrsctp/usrsctplib/netinet/sctp_input.c:6137
698 698 1 :

['sctp_source_address_selection']

714 3435 sctp_send_initiate_ack call site: 02499 /src/usrsctp/usrsctplib/netinet/sctp_output.c:6152
682 750 5 :

['sctp_auth_key_release', 'free', 'sctp_userspace_rtfree', 'sctp_free_ifa', 'm_freem']

682 750 sctp_is_there_unsent_data call site: 01099 /src/usrsctp/usrsctplib/netinet/sctp_input.c:211
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

549 29775 sctp_handle_cookie_ack call site: 02369 /src/usrsctp/usrsctplib/netinet/sctp_input.c:3187
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

350 54498 sctp_inpcb_free call site: 00598 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:3809
294 294 1 :

['sctp_notify_authentication']

296 296 sctp_ulp_notify call site: 00373 /src/usrsctp/usrsctplib/netinet/sctputil.c:4302

Runtime coverage analysis

Covered functions
264
Functions that are reachable but not covered
388
Reachable functions
632
Percentage of reachable functions covered
38.61%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_connect.c 5
programs/programs_helper.c 11
usrsctplib/user_socket.c 51
usrsctplib/netinet/sctp_usrreq.c 22
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 85
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 82
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 33
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 5
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1

Fuzzer: fuzzer/fuzzer_connect.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 5204 81.2%
gold [1:9] 104 1.62%
yellow [10:29] 2 0.03%
greenyellow [30:49] 6 0.09%
lawngreen 50+ 1090 17.0%
All colors 6406 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
78283 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

78295 127166 sctp_process_control call site: 03597 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
5179 15742 7 :

['sctp_abort_an_association', 'sctp_send_shutdown', 'sctp_timer_start', 'sctp_generate_cause', 'sctp_is_there_unsent_data', 'sctp_add_substate', 'sctp_stop_timers_for_shutdown']

5197 35381 sctp_lower_sosend call site: 05848 /src/usrsctp/usrsctplib/netinet/sctp_output.c:14697
4906 5053 3 :

['sctp_generate_cause', 'sctp_abort_association', 'm_freem']

4906 5053 sctp_process_init_ack call site: 02646 /src/usrsctp/usrsctplib/netinet/sctp_input.c:487
4906 5007 2 :

['sctp_generate_cause', 'sctp_abort_association']

4906 5007 sctp_handle_init_ack call site: 02595 /src/usrsctp/usrsctplib/netinet/sctp_input.c:1371
4898 4898 1 :

['sctp_user_rcvd']

4906 4927 sctp_sorecvmsg call site: 05413 /src/usrsctp/usrsctplib/netinet/sctputil.c:7088
1380 2848 8 :

['sctp_ulp_notify', 'terminate_non_graceful.255', 'sctp_free_bufspace', 'sctp_auth_key_release', 'm_freem', 'pthread_mutex_trylock', 'sctp_free_ifa', 'sctp_userspace_rtfree']

1384 4268 sctp_process_init call site: 02622 /src/usrsctp/usrsctplib/netinet/sctp_input.c:279
714 714 1 :

['sctp_send_ecn_echo']

732 10470 sctp_common_input_processing call site: 04093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:6137
698 698 1 :

['sctp_source_address_selection']

714 3435 sctp_send_initiate_ack call site: 02493 /src/usrsctp/usrsctplib/netinet/sctp_output.c:6152
682 750 5 :

['sctp_auth_key_release', 'free', 'sctp_userspace_rtfree', 'sctp_free_ifa', 'm_freem']

682 750 sctp_is_there_unsent_data call site: 01093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:211
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

549 29775 sctp_handle_cookie_ack call site: 02363 /src/usrsctp/usrsctplib/netinet/sctp_input.c:3187
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

350 54498 sctp_inpcb_free call site: 00592 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:3809
294 294 1 :

['sctp_notify_authentication']

296 296 sctp_ulp_notify call site: 00367 /src/usrsctp/usrsctplib/netinet/sctputil.c:4302

Runtime coverage analysis

Covered functions
264
Functions that are reachable but not covered
368
Reachable functions
611
Percentage of reachable functions covered
39.77%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_connect.c 4
usrsctplib/user_socket.c 49
usrsctplib/netinet/sctp_usrreq.c 22
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 85
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 82
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 33
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 5
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1

Fuzzer: fuzzer/fuzzer_listen.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4318 79.6%
gold [1:9] 139 2.56%
yellow [10:29] 2 0.03%
greenyellow [30:49] 6 0.11%
lawngreen 50+ 955 17.6%
All colors 5420 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
78283 127154 40 :

['sctp_ulp_notify', 'sctp_express_handle_sack', 'sctp_abort_an_association', 'sctp_handle_cookie_ack', 'sctp_handle_shutdown', 'sctp_handle_auth', 'sctp_chunk_output', 'sctp_handle_ecn_cwr', 'sctp_handle_asconf_ack', 'm_freem', 'sctp_send_abort', 'sctp_handle_sack', 'm_copym', 'sctp_handle_cookie_echo', 'sctp_handle_forward_tsn', 'pthread_mutex_lock', 'sctp_queue_op_err', 'sctp_handle_asconf', 'sctp_generate_cause', 'sctp_send_asconf_ack', 'sctp_handle_error', 'sctp_handle_shutdown_ack', 'sctp_get_mbuf_for_msg', 'sctp_free_assoc', 'sctp_handle_shutdown_complete', 'sctp_handle_heartbeat_ack', 'sctp_handle_ecn_echo', '__bswap_16.256', 'sctp_handle_stream_reset', 'sctp_misc_ints', '__bswap_32', 'sctp_handle_packet_dropped', 'sctp_handle_abort', 'sctp_m_getptr', 'sctp_handle_init', 'sctp_handle_init_ack', 'sctp_timer_start', 'pthread_mutex_trylock', 'sctp_send_heartbeat_ack', 'sctp_abort_association']

78295 127166 sctp_process_control call site: 03597 /src/usrsctp/usrsctplib/netinet/sctp_input.c:5364
5179 15742 7 :

['sctp_abort_an_association', 'sctp_send_shutdown', 'sctp_timer_start', 'sctp_generate_cause', 'sctp_is_there_unsent_data', 'sctp_add_substate', 'sctp_stop_timers_for_shutdown']

5197 35381 sctp_lower_sosend call site: 00000 /src/usrsctp/usrsctplib/netinet/sctp_output.c:14697
4906 5053 3 :

['sctp_generate_cause', 'sctp_abort_association', 'm_freem']

4906 5053 sctp_process_init_ack call site: 02646 /src/usrsctp/usrsctplib/netinet/sctp_input.c:487
4906 5007 2 :

['sctp_generate_cause', 'sctp_abort_association']

4906 5007 sctp_handle_init_ack call site: 02595 /src/usrsctp/usrsctplib/netinet/sctp_input.c:1371
4898 4898 1 :

['sctp_user_rcvd']

4906 4927 sctp_sorecvmsg call site: 00000 /src/usrsctp/usrsctplib/netinet/sctputil.c:7088
1380 2848 8 :

['sctp_ulp_notify', 'terminate_non_graceful.255', 'sctp_free_bufspace', 'sctp_auth_key_release', 'm_freem', 'pthread_mutex_trylock', 'sctp_free_ifa', 'sctp_userspace_rtfree']

1384 4268 sctp_process_init call site: 02622 /src/usrsctp/usrsctplib/netinet/sctp_input.c:279
714 714 1 :

['sctp_send_ecn_echo']

732 10470 sctp_common_input_processing call site: 04093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:6137
698 698 1 :

['sctp_source_address_selection']

714 3435 sctp_send_initiate_ack call site: 02493 /src/usrsctp/usrsctplib/netinet/sctp_output.c:6152
682 750 5 :

['sctp_auth_key_release', 'free', 'sctp_userspace_rtfree', 'sctp_free_ifa', 'm_freem']

682 750 sctp_is_there_unsent_data call site: 01093 /src/usrsctp/usrsctplib/netinet/sctp_input.c:211
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

549 29775 sctp_handle_cookie_ack call site: 02363 /src/usrsctp/usrsctplib/netinet/sctp_input.c:3187
310 5191 4 :

['sctp_chunk_output', 'sctp_stop_timers_for_shutdown', 'sctp_set_state', 'sctp_send_shutdown']

350 54498 sctp_inpcb_free call site: 00592 /src/usrsctp/usrsctplib/netinet/sctp_pcb.c:3809
294 294 1 :

['sctp_notify_authentication']

296 296 sctp_ulp_notify call site: 00367 /src/usrsctp/usrsctplib/netinet/sctputil.c:4302

Runtime coverage analysis

Covered functions
264
Functions that are reachable but not covered
346
Reachable functions
577
Percentage of reachable functions covered
40.03%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzer/fuzzer_listen.c 4
usrsctplib/user_socket.c 43
usrsctplib/netinet/sctp_usrreq.c 15
usrsctplib/user_environment.c 2
usrsctplib/netinet/sctp_sysctl.c 1
usrsctplib/netinet/sctp_pcb.c 61
usrsctplib/netinet/sctputil.c 79
usrsctplib/netinet/sctp_callout.c 7
usrsctplib/netinet/sctp_bsd_addr.c 8
usrsctplib/netinet/sctp_userspace.c 4
usrsctplib/user_environment.h 1
usrsctplib/netinet/sctp_output.c 69
usrsctplib/netinet/sctp_auth.c 53
usrsctplib/netinet/sctp_indata.c 34
usrsctplib/user_mbuf.c 30
usrsctplib/netinet/sctp_os_userspace.h 3
usrsctplib/netinet/sctp_timer.c 16
/usr/include/x86_64-linux-gnu/bits/byteswap.h 2
usrsctplib/netinet6/sctp6_usrreq.c 4
usrsctplib/netinet/sctp_sha1.c 4
usrsctplib/netinet/sctp_asconf.c 39
usrsctplib/netinet/sctp_crc32.c 7
usrsctplib/netinet/sctp_input.c 40
usrsctplib/user_recv_thread.c 7
/usr/include/x86_64-linux-gnu/bits/socket.h 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
userspace_shutdown /src/usrsctp/usrsctplib/user_socket.c 2 ['N/A', 'int'] 18 0 14 3 2 256 0 5014 145
sctp_drain_mbufs /src/usrsctp/usrsctplib/netinet/sctp_pcb.c 1 ['N/A'] 22 0 1732 326 112 253 1 4981 112
sctp_cwnd_update_rtcc_after_sack /src/usrsctp/usrsctplib/netinet/sctp_cc_functions.c 5 ['N/A', 'N/A', 'int', 'int', 'int'] 4 0 17 3 2 7 0 109 107
sctp6_in6getaddr /src/usrsctp/usrsctplib/netinet6/sctp6_usrreq.c 2 ['N/A', 'N/A'] 6 0 57 11 5 39 0 434 60
sctp_htcp_cwnd_update_after_sack /src/usrsctp/usrsctplib/netinet/sctp_cc_functions.c 5 ['N/A', 'N/A', 'int', 'int', 'int'] 7 0 136 31 13 14 0 84 58
m_pulldown /src/usrsctp/usrsctplib/user_mbuf.c 4 ['N/A', 'int', 'int', 'N/A'] 8 0 550 108 43 23 0 182 53
usrsctp_peeloff /src/usrsctp/usrsctplib/user_socket.c 2 ['N/A', 'int'] 21 0 290 58 21 291 0 5306 50
sctp6_getpeeraddr /src/usrsctp/usrsctplib/netinet6/sctp6_usrreq.c 2 ['N/A', 'N/A'] 3 0 57 11 5 7 0 57 47
sctp_sendm /src/usrsctp/usrsctplib/netinet/sctp_usrreq.c 6 ['N/A', 'int', 'N/A', 'N/A', 'N/A', 'N/A'] 26 0 138 30 12 317 0 6495 43

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
70.0%
629 / 897
Cyclomatic complexity statically reachable by fuzzers
93.0%
17316 / 18649

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzzer/fuzzer_listen.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['usrsctp_setsockopt', 'sctp_process_control', 'sctp_lowlevel_chunk_output', 'sctp_alloc_chunklist', 'sctp_add_addresses_to_i_ia', 'sctp_inpcb_bind_locked', 'm_copydata', 'sctp_common_input_processing', 'sctp_generate_cause', 'sctp_setopt']

fuzzer/fuzzer_fragment.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['usrsctp_sendv', 'sctp_process_control', 'sctp_setopt', 'sctp_send_initiate', 'sctp_initialize_auth_params', 'sctp_common_input_processing', 'sctp_aloc_assoc_connected', 'sctp_notify_adaptation_layer']

fuzzer/fuzzer_listen.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sctp_process_control', 'sctp_setopt', 'sctp_send_initiate', 'sctp_initialize_auth_params', 'sctp_common_input_processing', 'sctp_aloc_assoc_connected', 'sctp_notify_adaptation_layer', 'sctp_inpcb_free']

fuzzer/fuzzer_connect.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['usrsctp_sendv', 'sctp_process_control', 'sctp_setopt', 'sctp_send_initiate', 'sctp_initialize_auth_params', 'sctp_common_input_processing', 'sctp_aloc_assoc_connected', 'sctp_notify_adaptation_layer']

fuzzer/fuzzer_fragment.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['usrsctp_sendv', 'sctp_process_control', 'sctp_setopt', 'sctp_send_initiate', 'sctp_initialize_auth_params', 'sctp_common_input_processing', 'sctp_aloc_assoc_connected', 'sctp_notify_adaptation_layer']

fuzzer/fuzzer_connect.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['usrsctp_sendv', 'sctp_process_control', 'sctp_setopt', 'sctp_send_initiate', 'sctp_initialize_auth_params', 'sctp_common_input_processing', 'sctp_aloc_assoc_connected', 'sctp_notify_adaptation_layer']

fuzzer/fuzzer_connect.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['usrsctp_sendv', 'sctp_process_control', 'sctp_setopt', 'sctp_send_initiate', 'sctp_initialize_auth_params', 'sctp_common_input_processing', 'sctp_aloc_assoc_connected', 'sctp_notify_adaptation_layer']

fuzzer/fuzzer_listen.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sctp_process_control', 'sctp_setopt', 'sctp_send_initiate', 'sctp_initialize_auth_params', 'sctp_common_input_processing', 'sctp_aloc_assoc_connected', 'sctp_notify_adaptation_layer', 'sctp_inpcb_free']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
sctp_insert_sharedkey 34 7 20.58% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_common_input_processing 341 172 50.43% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_process_control 767 284 37.02% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_handle_cookie_echo 370 144 38.91% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_add_addresses_to_i_ia 150 25 16.66% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_lowlevel_chunk_output 541 72 13.30% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_send_resp_msg 242 114 47.10% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_add_addr_to_vrf 224 103 45.98% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_findassociation_ep_addr 291 80 27.49% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_pcb_findep 59 31 52.54% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_inpcb_bind_locked 264 88 33.33% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_tcb_special_locate 211 24 11.37% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_endpoint_probe 179 74 41.34% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_findassoc_by_vtag 70 35 50.0% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_setopt 2815 189 6.714% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_listen 153 35 22.87% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect']
sctp_timer_start 303 117 38.61% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_get_ifa_hash_val 40 16 40.0% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
recv_thread_init 204 80 39.21% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
socreate 48 22 45.83% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
usrsctp_setsockopt 71 27 38.02% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_is_there_unsent_data 50 25 50.0% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_handle_init_ack 54 28 51.85% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_process_init_ack 126 40 31.74% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_process_init 114 48 42.10% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_chunk_output 169 70 41.42% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_lower_sosend 996 295 29.61% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_med_chunk_output 815 329 40.36% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_move_to_outqueue 354 155 43.78% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_clean_up_ctl 33 18 54.54% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_set_prsctp_policy 35 6 17.14% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_copy_mbufchain 108 45 41.66% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_findasoc_ep_asocid_locked 31 11 35.48% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_inpcb_free 259 104 40.15% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_add_remote_addr 294 116 39.45% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_free_assoc 372 179 48.11% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_load_addresses_from_init 575 271 47.13% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_does_stcb_own_this_addr 166 52 31.32% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_iterator_inp_being_freed 31 8 25.80% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_aloc_assoc_locked 170 65 38.23% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctpconn_connect 103 54 52.42% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_ulp_notify 190 32 16.84% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_cmpaddr 38 12 31.57% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_invoke_recv_callback 88 7 7.954% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_add_to_readq 85 34 40.0% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sctp_sorecvmsg 734 273 37.19% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
m_adj 55 22 40.0% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
sofree 37 18 48.64% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', 'fuzzer_listen', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
usrsctp_sendv 102 34 33.33% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
usrsctp_recvv 135 50 37.03% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']
user_connect 48 13 27.08% ['/src/usrsctp/fuzzer/fuzzer_connect.c', '/src/usrsctp/fuzzer/fuzzer_listen.c', '/src/usrsctp/fuzzer/fuzzer_fragment.c', 'fuzzer_connect', 'fuzzer_fragment']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/usrsctp/usrsctplib/netinet/sctp_input.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/user_recv_thread.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_output.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_sha1.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctputil.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_cc_functions.c [] []
/src/usrsctp/usrsctplib/netinet/sctp_bsd_addr.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/usr/include/x86_64-linux-gnu/bits/socket.h ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] []
/src/usrsctp/usrsctplib/netinet/sctp_crc32.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] []
/src/usrsctp/usrsctplib/user_socket.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet6/sctp6_usrreq.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] []
/src/usrsctp/usrsctplib/netinet/sctp_timer.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] []
/src/usrsctp/usrsctplib/netinet/sctp_peeloff.c [] []
/src/usrsctp/usrsctplib/user_mbuf.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/user_environment.h ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] []
/src/usrsctp/usrsctplib/netinet/sctp_asconf.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] []
/src/usrsctp/fuzzer/fuzzer_listen.c ['fuzzer_listen', 'fuzzer/fuzzer_listen.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer/fuzzer_listen.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_usrreq.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_os_userspace.h ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_indata.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/usr/include/x86_64-linux-gnu/bits/byteswap.h ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] []
/src/usrsctp/programs/programs_helper.c ['fuzzer/fuzzer_listen.c', 'fuzzer/fuzzer_connect.c'] []
/src/usrsctp/usrsctplib/netinet/sctp_userspace.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/user_environment.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_auth.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/fuzzer/fuzzer_connect.c ['fuzzer_connect', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c'] ['fuzzer_connect', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c']
/src/usrsctp/usrsctplib/netinet/sctp_ss_functions.c [] []
/src/usrsctp/usrsctplib/netinet/sctp_callout.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/fuzzer/fuzzer_fragment.c ['fuzzer_fragment', 'fuzzer/fuzzer_fragment.c'] ['fuzzer_fragment', 'fuzzer/fuzzer_fragment.c']
/src/usrsctp/usrsctplib/netinet/sctp_sysctl.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']
/src/usrsctp/usrsctplib/netinet/sctp_pcb.c ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c'] ['fuzzer_listen', 'fuzzer_fragment', 'fuzzer/fuzzer_listen.c', 'fuzzer_connect', 'fuzzer/fuzzer_fragment.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_connect.c', 'fuzzer/fuzzer_listen.c']

Directories in report

Directory
/src/usrsctp/fuzzer/
/usr/include/x86_64-linux-gnu/bits/
/src/usrsctp/usrsctplib/
/src/usrsctp/usrsctplib/netinet6/
/src/usrsctp/programs/
/src/usrsctp/usrsctplib/netinet/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzzer_listen fuzzerLogFile-0-Tu3TMlSoPh.data fuzzerLogFile-0-Tu3TMlSoPh.data.yaml fuzzer_listen.covreport
fuzzer_fragment fuzzerLogFile-0-zPJxiECg7j.data fuzzerLogFile-0-zPJxiECg7j.data.yaml fuzzer_fragment.covreport
fuzzer/fuzzer_listen.c fuzzerLogFile-0-huu9WAzhff.data fuzzerLogFile-0-huu9WAzhff.data.yaml fuzzer_listen.covreport , fuzzer_fragment.covreport
fuzzer_connect fuzzerLogFile-0-Fpsa1i9Wzl.data fuzzerLogFile-0-Fpsa1i9Wzl.data.yaml fuzzer_listen.covreport , fuzzer_fragment.covreport
fuzzer/fuzzer_fragment.c fuzzerLogFile-0-Gp1ImOWtiD.data fuzzerLogFile-0-Gp1ImOWtiD.data.yaml fuzzer_listen.covreport , fuzzer_fragment.covreport
fuzzer/fuzzer_connect.c fuzzerLogFile-0-eaXNhyUefD.data fuzzerLogFile-0-eaXNhyUefD.data.yaml fuzzer_listen.covreport , fuzzer_fragment.covreport
fuzzer/fuzzer_connect.c fuzzerLogFile-0-yNPRCvY4EN.data fuzzerLogFile-0-yNPRCvY4EN.data.yaml fuzzer_listen.covreport , fuzzer_fragment.covreport
fuzzer/fuzzer_listen.c fuzzerLogFile-0-IkDy7IdNDb.data fuzzerLogFile-0-IkDy7IdNDb.data.yaml fuzzer_listen.covreport , fuzzer_fragment.covreport