High level conclusions

Fuzzers reach 63.40% of cyclomatic complexity.

Fuzzers reach 58.28% of all functions.

Fuzzer wnm is blocked:

The runtime code coverage of wnm covers 6.295% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer ap-mgmt is blocked:

The runtime code coverage of ap-mgmt covers 10.75% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer dpp-uri is blocked:

The runtime code coverage of dpp-uri covers 10.01% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer tls-server is blocked:

The runtime code coverage of tls-server covers 29.87% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer pasn-resp is blocked:

The runtime code coverage of pasn-resp covers 26.29% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

3091 / 5303

Cyclomatic complexity statically reachable by fuzzers

24018 / 37879

Runtime code coverage of functions

1172 / 5303

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: asn1

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	29	34.1%
gold	[1:9]	6	7.05%
yellow	[10:29]	8	9.41%
greenyellow	[30:49]	1	1.17%
lawngreen	50+	41	48.2%
All colors	85	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00067	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00039	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
0	0	None	0	0	asn1_get_next	call site: 00005	/src/hostap/tests/fuzzing/asn1/../../../src/tls/asn1.c:180
0	0	None	0	0	asn1_oid_to_str	call site: 00057	/src/hostap/tests/fuzzing/asn1/../../../src/tls/asn1.c:357
0	0	None	0	0	asn1_parse	call site: 00033	/src/hostap/tests/fuzzing/asn1/asn1.c:86
0	0	None	0	0	asn1_parse	call site: 00033	/src/hostap/tests/fuzzing/asn1/asn1.c:111

Runtime coverage analysis

Covered functions

19

Functions that are reachable but not covered

9

Reachable functions

28

Percentage of reachable functions covered

67.86%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/asn1/asn1.c	3
tests/fuzzing/asn1/../fuzzer-common.c	1
tests/fuzzing/asn1/../../../src/tls/asn1.c	8
tests/fuzzing/asn1/../../../src/utils/wpa_debug.c	6
tests/fuzzing/asn1/../../../src/utils/os_unix.c	1
tests/fuzzing/asn1/../../../src/tls/asn1.h	1
tests/fuzzing/asn1/../../../src/utils/os.h	1

Fuzzer: json

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7	9.85%
gold	[1:9]	4	5.63%
yellow	[10:29]	4	5.63%
greenyellow	[30:49]	5	7.04%
lawngreen	50+	51	71.8%
All colors	71	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	0	None	6	245	json_parse	call site: 00005	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:238
0	0	None	6	245	json_parse	call site: 00032	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:304
0	0	None	6	245	json_parse	call site: 00041	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:376
0	0	None	6	245	json_parse	call site: 00047	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:428
0	0	None	2	17	json_parse_string	call site: 00023	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:76
0	0	None	2	17	json_parse_string	call site: 00024	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:91
0	0	None	2	2	json_parse_number	call site: 00045	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:179
0	0	None	0	3	json_parse	call site: 00045	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:424
0	0	None	0	0	json_parse_number	call site: 00045	/src/hostap/tests/fuzzing/json/../../../src/utils/json.c:175

Runtime coverage analysis

Covered functions

17

Functions that are reachable but not covered

12

Reachable functions

29

Percentage of reachable functions covered

58.62%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/json/json.c	1
tests/fuzzing/json/../fuzzer-common.c	1
tests/fuzzing/json/../../../src/utils/json.c	9
tests/fuzzing/json/../../../src/utils/wpa_debug.c	2
tests/fuzzing/json/../../../src/utils/os_unix.c	2
tests/fuzzing/json/../../../src/utils/common.c	3
tests/fuzzing/json/../../../src/utils/os.h	1

Fuzzer: eap-mschapv2-peer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	48.0%
gold	[1:9]	1	2.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	25	50.0%
All colors	50	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
70	70	2 : View List ['wpabuf_put_be32', 'wpabuf_put_be24']	70	70	eap_msg_alloc	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_common/eap_common.c:146
54	104	2 : View List ['generate_nt_response_pwhash', 'generate_authenticator_response_pwhash']	54	291	mschapv2_derive_response	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/mschapv2.c:63
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00000	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00035	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
4	16	2 : View List ['os_memdup', 'eap_mschapv2_deinit']	4	16	eap_mschapv2_init	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:126
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	4	1 : View List ['wpabuf_free']	0	4	eap_mschapv2_challenge_reply	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:211
0	2	1 : View List ['eap_sm_request_identity']	0	2	eap_mschapv2_check_config	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:718
0	2	1 : View List ['eap_sm_request_password']	0	2	eap_mschapv2_check_config	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:724
0	0	None	8	32	eap_mschapv2_init	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:117
0	0	None	0	206	eap_mschapv2_challenge_reply	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:196
0	0	None	0	206	eap_mschapv2_challenge_reply	call site: 00000	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c:206

Runtime coverage analysis

Covered functions

89

Functions that are reachable but not covered

12

Reachable functions

32

Percentage of reachable functions covered

62.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eap-mschapv2-peer/eap-mschapv2-peer.c	3
tests/fuzzing/eap-mschapv2-peer/../fuzzer-common.c	1
tests/fuzzing/eap-mschapv2-peer/../../../src/eap_peer/eap_mschapv2.c	1
src/utils/os_unix.c	2
tests/fuzzing/eap-mschapv2-peer/../../../src/utils/common.h	1
src/utils/wpabuf.c	5
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/eap-mschapv2-peer/../../../src/utils/wpa_debug.h	1
tests/fuzzing/eap-mschapv2-peer/../../../src/utils/wpabuf.h	2

Fuzzer: eap-sim-peer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	48.0%
gold	[1:9]	1	2.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	25	50.0%
All colors	50	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
98	98	2 : View List ['eap_sim_ext_sim_req', 'eap_sim_ext_sim_result']	98	98	eap_sim_gsm_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:289
97	97	1 : View List ['eap_sim_process_notification_reauth']	97	97	eap_sim_process_notification_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:1018
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00000	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00035	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
7	256	4 : View List ['eap_sim_msg_add', 'eap_sim_msg_free', 'eap_sim_msg_add_encr_start', 'eap_sim_msg_add_encr_end']	7	398	eap_sim_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:743
7	7	1 : View List ['eap_sim_msg_free']	7	7	eap_sim_response_reauth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:717
4	4	1 : View List ['realloc']	4	4	wpabuf_resize	call site: 00000	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpabuf.c:69
2	2	1 : View List ['eap_sm_request_identity']	2	2	eap_sim_process	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:1205
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	73	1 : View List ['eap_sim_msg_add_mac']	0	142	eap_sim_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:759
0	66	1 : View List ['eap_sim_msg_add']	0	208	eap_sim_response_reauth	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c:723
0	46	2 : View List ['WPA_GET_BE16', 'wpa_hexdump']	0	46	eap_sim_parse_attr	call site: 00000	/src/hostap/tests/fuzzing/eap-sim-peer/../../../src/eap_common/eap_sim_common.c:795

Runtime coverage analysis

Covered functions

96

Functions that are reachable but not covered

12

Reachable functions

32

Percentage of reachable functions covered

62.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eap-sim-peer/eap-sim-peer.c	3
tests/fuzzing/eap-sim-peer/../fuzzer-common.c	1
tests/fuzzing/eap-sim-peer/../../../src/eap_peer/eap_sim.c	1
src/utils/os_unix.c	2
tests/fuzzing/eap-sim-peer/../../../src/utils/common.h	1
src/utils/wpabuf.c	5
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/eap-sim-peer/../../../src/utils/wpa_debug.h	1
tests/fuzzing/eap-sim-peer/../../../src/utils/wpabuf.h	2

Fuzzer: x509

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	54	15.2%
gold	[1:9]	26	7.32%
yellow	[10:29]	22	6.19%
greenyellow	[30:49]	16	4.50%
lawngreen	50+	237	66.7%
All colors	355	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00105	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00045	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	29	1 : View List ['x509_certificate_free']	0	29	x509_certificate_parse	call site: 00350	/src/hostap/src/tls/x509v3.c:1807
0	0	None	0	835	x509_parse_tbs_certificate	call site: 00187	/src/hostap/src/tls/x509v3.c:1557
0	0	None	0	29	x509_certificate_parse	call site: 00039	/src/hostap/src/tls/x509v3.c:1754
0	0	None	0	6	x509_certificate_free	call site: 00039	/src/hostap/src/tls/x509v3.c:49
0	0	None	0	3	x509_parse_name	call site: 00101	/src/hostap/src/tls/x509v3.c:408
0	0	None	0	3	x509_parse_name	call site: 00133	/src/hostap/src/tls/x509v3.c:440
0	0	None	0	0	asn1_oid_to_str	call site: 00229	/src/hostap/tests/fuzzing/asn1/../../../src/tls/asn1.c:357
0	0	None	0	0	x509_parse_algorithm_identifier	call site: 00076	/src/hostap/src/tls/x509v3.c:200
0	0	None	0	0	x509_parse_name	call site: 00086	/src/hostap/src/tls/x509v3.c:312

Runtime coverage analysis

Covered functions

74

Functions that are reachable but not covered

17

Reachable functions

91

Percentage of reachable functions covered

81.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/x509/x509.c	1
tests/fuzzing/x509/../fuzzer-common.c	1
src/tls/x509v3.c	40
src/utils/os_unix.c	5
src/tls/asn1.c	10
src/utils/wpa_debug.c	6
src/tls/./asn1.h	11
src/utils/common.c	1
src/tls/../utils/os.h	1

Fuzzer: sae

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	103	41.8%
gold	[1:9]	3	1.21%
yellow	[10:29]	3	1.21%
greenyellow	[30:49]	16	6.50%
lawngreen	50+	121	49.1%
All colors	246	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
84	84	1 : View List ['sae_parse_commit_element_ffc']	84	84	sae_parse_commit_element	call site: 00118	/src/hostap/src/common/sae.c:2054
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00182	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00090	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
4	4	2 : View List ['BN_num_bits', 'BN_bn2bin']	4	4	crypto_bignum_to_bin	call site: 00146	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2055
3	125	3 : View List ['sae_clear_data', 'crypto_bignum_init_set', 'dh_groups_get']	3	125	sae_set_group	call site: 00056	/src/hostap/src/common/sae.c:46
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	0	None	6	6	crypto_ec_point_from_bin	call site: 00160	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2601
0	0	None	4	241	sae_parse_commit	call site: 00118	/src/hostap/src/common/sae.c:2213
0	0	None	3	226	sae_set_group	call site: 00022	/src/hostap/src/common/sae.c:33
0	0	None	0	34	sae_parse_rejected_groups	call site: 00213	/src/hostap/src/common/sae.c:2148
0	0	None	0	29	sae_parse_password_identifier	call site: 00180	/src/hostap/src/common/sae.c:2109
0	0	None	0	7	sae_parse_commit_scalar	call site: 00104	/src/hostap/src/common/sae.c:1923

Runtime coverage analysis

Covered functions

58

Functions that are reachable but not covered

46

Reachable functions

104

Percentage of reachable functions covered

55.77%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/sae/sae.c	1
tests/fuzzing/sae/../fuzzer-common.c	1
src/utils/os_unix.c	5
src/common/sae.c	18
src/common/../utils/common.h	2
src/utils/wpa_debug.c	6
tests/fuzzing/sae/../../../src/common/dragonfly.c	1
tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c	20
src/utils/wpabuf.c	4
src/utils/common.c	2
tests/fuzzing/sae/../../../src/crypto/dh_groups.c	1
src/common/../utils/wpabuf.h	3
src/utils/./wpabuf.h	3
src/common/../utils/wpa_debug.h	1

Fuzzer: pasn-resp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	804	73.6%
gold	[1:9]	57	5.22%
yellow	[10:29]	46	4.21%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	184	16.8%
All colors	1091	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
939	1012	6 : View List ['pasn_derive_keys', 'pmksa_cache_auth_get', 'wpa_key_mgmt_ft.1740', 'pasn_wd_handle_sae_commit', 'ieee802_11_defrag', 'pasn_auth_frame_hash']	939	1366	handle_auth_pasn_1	call site: 00323	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:837
617	752	16 : View List ['wpa_pasn_add_wrapped_data', 'pasn_get_wrapped_data', 'pasn_mic', 'wpa_pasn_add_rsne', 'wpa_pasn_add_extra_ies', 'wpabuf_put', 'wpabuf_alloc', 'wpabuf_put_data.1709', 'free', 'wpabuf_put_u8.1713', 'wpa_pasn_add_parameter_ie', 'crypto_ecdh_prime_len', 'os_zalloc', 'pasn_mic_len', 'wpabuf_zeropad', 'crypto_ecdh_get_pubkey']	617	784	handle_auth_pasn_resp	call site: 00806	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:509
134	134	1 : View List ['pasn_wd_handle_sae_confirm']	134	258	handle_auth_pasn_3	call site: 01037	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:1080
21	21	1 : View List ['hmac_sha384']	21	48	pasn_mic	call site: 00997	/src/hostap/tests/fuzzing/pasn-resp/../../../src/common/wpa_common.c:1694
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00056	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
4	8	3 : View List ['ERR_error_string', 'ERR_get_error', 'wpabuf_free']	16	20	crypto_ecdh_set_peerkey	call site: 00310	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:3067
4	4	2 : View List ['AES_unwrap_key', 'OPENSSL_cleanse']	4	4	aes_unwrap	call site: 01070	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:736
2	2	1 : View List ['clock_gettime']	2	2	os_get_reltime	call site: 00187	/src/hostap/tests/fuzzing/asn1/../../../src/utils/os_unix.c:94
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	21	1 : View List ['wpa_hexdump']	0	21	__ieee802_11_parse_elems	call site: 00053	/src/hostap/src/common/ieee802_11_common.c:699
0	7	1 : View List ['wpabuf_alloc']	0	7	wpabuf_resize	call site: 00330	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpabuf.c:54
0	0	None	1071	1807	handle_auth_pasn_1	call site: 00134	/src/hostap/tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c:732

Runtime coverage analysis

Covered functions

77

Functions that are reachable but not covered

213

Reachable functions

289

Percentage of reachable functions covered

26.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/pasn-resp/pasn-resp.c	3
tests/fuzzing/pasn-resp/../fuzzer-common.c	1
tests/fuzzing/pasn-resp/../../../src/utils/os_unix.c	8
tests/fuzzing/pasn-resp/../../../src/utils/eloop.c	4
tests/fuzzing/pasn-resp/../../../src/utils/list.h	2
tests/fuzzing/pasn-resp/../../../src/utils/wpa_debug.c	7
tests/fuzzing/pasn-resp/../../../src/pasn/pasn_common.c	3
tests/fuzzing/pasn-resp/../../../src/utils/common.c	7
tests/fuzzing/pasn-resp/../../../src/pasn/pasn_responder.c	10
tests/fuzzing/pasn-resp/../../../src/common/ieee802_11_common.c	8
tests/fuzzing/pasn-resp/../../../src/utils/common.h	7
tests/fuzzing/pasn-resp/../../../src/common/ieee802_11_common.h	1
tests/fuzzing/pasn-resp/../../../src/common/wpa_common.c	23
tests/fuzzing/pasn-resp/../../../src/ap/comeback_token.c	3
tests/fuzzing/pasn-resp/../../../src/crypto/crypto_openssl.c	46
tests/fuzzing/pasn-resp/../../../src/utils/wpabuf.c	7
tests/fuzzing/pasn-resp/../../../src/utils/wpabuf.h	11
tests/fuzzing/pasn-resp/../../../src/utils/os.h	3
tests/fuzzing/pasn-resp/../../../src/common/sae.c	40
tests/fuzzing/pasn-resp/../../../src/common/dragonfly.c	3
tests/fuzzing/pasn-resp/../../../src/crypto/dh_groups.c	1
tests/fuzzing/pasn-resp/../../../src/utils/wpa_debug.h	1
tests/fuzzing/pasn-resp/../../../src/common/defs.h	3
tests/fuzzing/pasn-resp/../../../src/crypto/sha256-prf.c	2
tests/fuzzing/pasn-resp/../../../src/crypto/sha384-prf.c	2

Fuzzer: tls-server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1514	81.9%
gold	[1:9]	281	15.2%
yellow	[10:29]	24	1.29%
greenyellow	[30:49]	17	0.91%
lawngreen	50+	12	0.64%
All colors	1848	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
602	602	1 : View List ['tlsv1_set_key_enc_pem']	602	602	tlsv1_set_key	call site: 00716	/src/hostap/src/tls/tlsv1_cred.c:1012
567	567	1 : View List ['pkcs8_enc_key_import']	567	771	crypto_private_key_import	call site: 00446	/src/hostap/src/crypto/crypto_internal-rsa.c:49
240	240	1 : View List ['tlsv1_client_deinit']	240	461	tls_connection_deinit	call site: 01822	/src/hostap/src/crypto/tls_internal.c:155
74	78	5 : View List ['wpabuf_alloc', 'WPA_GET_BE16', 'wpa_hexdump_buf', 'wpabuf_put_data', 'wpabuf_free']	74	78	read_msg	call site: 00855	/src/hostap/tests/fuzzing/tls-server/tls-server.c:31
56	56	1 : View List ['crypto_cipher_init']	56	56	tlsv1_record_change_write_cipher	call site: 01585	/src/hostap/src/tls/tlsv1_record.c:86
56	56	1 : View List ['crypto_cipher_init']	56	56	tlsv1_record_change_read_cipher	call site: 01424	/src/hostap/src/tls/tlsv1_record.c:120
14	14	1 : View List ['mp_copy']	28	39	mp_mul_2d	call site: 00461	/src/hostap/src/tls/./libtommath.c:1382
14	14	1 : View List ['mp_lshd']	14	18	mp_mul_2d	call site: 00464	/src/hostap/src/tls/./libtommath.c:1395
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00149	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
12	12	1 : View List ['crypto_cipher_deinit']	68	68	tlsv1_record_change_write_cipher	call site: 01584	/src/hostap/src/tls/tlsv1_record.c:82
12	12	1 : View List ['crypto_cipher_deinit']	68	68	tlsv1_record_change_read_cipher	call site: 01423	/src/hostap/src/tls/tlsv1_record.c:116
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00089	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281

Runtime coverage analysis

Covered functions

121

Functions that are reachable but not covered

284

Reachable functions

405

Percentage of reachable functions covered

29.88%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/tls-server/tls-server.c	2
tests/fuzzing/tls-server/../fuzzer-common.c	1
src/crypto/tls_internal.c	11
src/tls/tlsv1_client.c	10
src/crypto/crypto_internal.c	5
src/tls/tlsv1_server.c	14
src/utils/os_unix.c	8
src/tls/tlsv1_cred.c	15
src/tls/x509v3.c	59
src/utils/wpa_debug.c	8
src/crypto/crypto_internal-rsa.c	8
src/tls/rsa.c	6
src/tls/bignum.c	12
src/tls/./libtommath.c	42
src/utils/common.c	7
src/tls/asn1.c	10
src/tls/./asn1.h	12
src/tls/../utils/os.h	1
src/utils/base64.c	2
src/tls/pkcs8.c	2
src/tls/pkcs5.c	13
src/tls/../utils/common.h	6
src/crypto/sha1-pbkdf2.c	2
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/crypto/crypto_internal-cipher.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/aes-internal-dec.c	5
src/crypto/./aes_i.h	1
src/crypto/des-internal.c	9
src/crypto/md5-internal.c	5
src/crypto/rc4.c	1
src/crypto/../utils/common.h	4
src/tls/tlsv1_common.c	12
src/crypto/sha256-internal.c	5
src/crypto/sha384-internal.c	4
src/crypto/sha512-internal.c	5
tests/fuzzing/tls-server/../../../src/utils/common.h	1
src/utils/wpabuf.c	7
tests/fuzzing/tls-server/../../../src/utils/wpabuf.h	4
src/utils/./wpabuf.h	4
tests/fuzzing/tls-server/../../../src/utils/wpa_debug.h	1
src/crypto/../utils/wpabuf.h	4
src/tls/tlsv1_record.c	5
src/tls/tlsv1_server_read.c	12
src/crypto/crypto_internal-modexp.c	1
src/crypto/sha256-tlsprf.c	1
src/crypto/sha256.c	2
src/crypto/sha1-tlsprf.c	1
src/crypto/md5.c	2
src/tls/pkcs1.c	4
src/tls/tlsv1_server_write.c	13
src/tls/../utils/wpabuf.h	4

Fuzzer: radius

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	55	29.5%
gold	[1:9]	1	0.53%
yellow	[10:29]	5	2.68%
greenyellow	[30:49]	2	1.07%
lawngreen	50+	123	66.1%
All colors	186	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
33	33	1 : View List ['wpabuf_put_u8']	33	112	radius_msg_add_attr	call site: 00055	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:796
16	18	2 : View List ['wpabuf_resize', 'wpabuf_mhead']	49	292	radius_msg_add_attr	call site: 00049	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:789
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00162	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	7	1 : View List ['radius_msg_free']	0	7	radius_msg_new	call site: 00012	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:111
0	4	1 : View List ['MD5Transform']	0	4	MD5Update	call site: 00082	/src/hostap/src/crypto/md5-internal.c:121
0	2	1 : View List ['wpabuf_len']	0	2	radius_msg_finish	call site: 00095	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:479
0	0	None	49	300	radius_msg_add_attr	call site: 00041	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:751
0	0	None	49	294	radius_msg_add_attr	call site: 00046	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:765
0	0	None	49	294	radius_msg_add_attr	call site: 00047	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:775
0	0	None	2	33	radius_msg_finish	call site: 00035	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:468
0	0	None	2	8	radius_msg_finish	call site: 00034	/src/hostap/tests/fuzzing/radius/../../../src/radius/radius.c:464

Runtime coverage analysis

Covered functions

61

Functions that are reachable but not covered

21

Reachable functions

82

Percentage of reachable functions covered

74.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/radius/radius.c	1
tests/fuzzing/radius/../fuzzer-common.c	1
src/utils/os_unix.c	6
tests/fuzzing/radius/../../../src/radius/radius.c	23
src/utils/wpabuf.c	6
tests/fuzzing/radius/../../../src/utils/os.h	2
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/radius/../../../src/utils/wpabuf.h	8
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/utils/common.c	4
src/utils/../utils/os.h	1
tests/fuzzing/radius/../../../src/utils/common.h	2
tests/fuzzing/radius/../../../src/utils/wpa_debug.h	1

Fuzzer: eap-aka-peer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	48.0%
gold	[1:9]	1	2.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	25	50.0%
All colors	50	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
463	780	9 : View List ['free', 'eap_aka_clear_identities', 'wpa_hexdump', 'eap_aka_state', 'eap_aka_learn_ids', 'eap_sim_derive_keys_reauth', 'eap_sim_parse_encr', 'eap_aka_prime_derive_keys_reauth', 'eap_aka_response_reauth']	463	1179	eap_aka_process_reauthentication	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1366
190	256	4 : View List ['eap_sim_msg_add', 'eap_sim_msg_free', 'eap_sim_msg_add_encr_start', 'eap_sim_msg_add_encr_end']	190	398	eap_aka_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:867
101	101	2 : View List ['eap_aka_ext_sim_result', 'eap_aka_ext_sim_req']	101	101	eap_aka_umts_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:292
97	97	1 : View List ['eap_aka_process_notification_reauth']	97	97	eap_aka_process_notification_auth	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1282
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00000	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00035	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
2	2	1 : View List ['eap_aka_prime_derive_keys']	2	559	eap_aka_process_challenge	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1179
2	2	1 : View List ['eap_sm_request_identity']	2	2	eap_aka_process	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:1477
2	2	1 : View List ['eap_sim_verify_mac_sha256']	2	2	eap_aka_verify_mac	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:951
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	137	2 : View List ['wpabuf_free', 'eap_aka_client_error']	0	137	eap_aka_process_identity	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:932
0	73	1 : View List ['eap_sim_msg_add_mac']	0	142	eap_aka_response_notification	call site: 00000	/src/hostap/tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c:883

Runtime coverage analysis

Covered functions

99

Functions that are reachable but not covered

12

Reachable functions

32

Percentage of reachable functions covered

62.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eap-aka-peer/eap-aka-peer.c	3
tests/fuzzing/eap-aka-peer/../fuzzer-common.c	1
tests/fuzzing/eap-aka-peer/../../../src/eap_peer/eap_aka.c	1
src/utils/os_unix.c	2
tests/fuzzing/eap-aka-peer/../../../src/utils/common.h	1
src/utils/wpabuf.c	5
src/utils/./wpabuf.h	4
src/utils/wpa_debug.c	4
tests/fuzzing/eap-aka-peer/../../../src/utils/wpa_debug.h	1
tests/fuzzing/eap-aka-peer/../../../src/utils/wpabuf.h	2

Fuzzer: dpp-uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3338	95.8%
gold	[1:9]	5	0.14%
yellow	[10:29]	17	0.48%
greenyellow	[30:49]	20	0.57%
lawngreen	50+	102	2.92%
All colors	3482	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	1 : View List ['ieee80211_chan_to_freq_us']	53	96	ieee80211_chan_to_freq	call site: 00065	/src/hostap/src/common/ieee802_11_common.c:2028
15	15	1 : View List ['ieee80211_chan_to_freq_eu']	35	73	ieee80211_chan_to_freq	call site: 00067	/src/hostap/src/common/ieee802_11_common.c:2034
14	14	1 : View List ['ieee80211_chan_to_freq_jp']	20	53	ieee80211_chan_to_freq	call site: 00069	/src/hostap/src/common/ieee802_11_common.c:2040
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00018	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00121	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
6	6	1 : View List ['ieee80211_chan_to_freq_cn']	6	34	ieee80211_chan_to_freq	call site: 00071	/src/hostap/src/common/ieee802_11_common.c:2046
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	0	None	6918	6918	dpp_relay_flush_controllers	call site: 03469	/src/hostap/tests/fuzzing/dpp-uri/../../../src/common/dpp_tcp.c:2379
0	0	None	3474	3474	dpp_controller_free	call site: 03477	/src/hostap/tests/fuzzing/dpp-uri/../../../src/common/dpp_tcp.c:721
0	0	None	26	26	openssl_digest_vector	call site: 00138	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:345
0	0	None	18	18	openssl_digest_vector	call site: 00139	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:347
0	0	None	18	18	openssl_digest_vector	call site: 00144	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:354

Runtime coverage analysis

Covered functions

62

Functions that are reachable but not covered

557

Reachable functions

619

Percentage of reachable functions covered

10.02%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/dpp-uri/dpp-uri.c	1
tests/fuzzing/dpp-uri/../fuzzer-common.c	1
src/utils/os_unix.c	11
tests/fuzzing/dpp-uri/../../../src/common/dpp.c	90
tests/fuzzing/dpp-uri/../../../src/utils/list.h	3
src/utils/wpa_debug.c	9
src/common/ieee802_11_common.c	8
src/utils/common.c	14
src/utils/ip_addr.c	2
src/utils/base64.c	7
tests/fuzzing/dpp-uri/../../../src/common/dpp_crypto.c	40
tests/fuzzing/dpp-uri/../../../src/crypto/crypto_openssl.c	67
src/utils/../utils/os.h	2
tests/fuzzing/dpp-uri/../../../src/utils/os.h	1
tests/fuzzing/dpp-uri/../../../src/common/dpp_tcp.c	37
src/utils/eloop.c	8
src/utils/./list.h	3
src/utils/./os.h	3
src/utils/wpabuf.c	8
src/utils/./wpabuf.h	5
tests/fuzzing/dpp-uri/../../../src/crypto/sha256-kdf.c	1
tests/fuzzing/dpp-uri/../../../src/crypto/sha384-kdf.c	1
tests/fuzzing/dpp-uri/../../../src/crypto/sha512-kdf.c	1
tests/fuzzing/dpp-uri/../../../src/utils/wpa_debug.h	2
tests/fuzzing/dpp-uri/../../../src/utils/wpabuf.h	13
src/utils/json.c	20
tests/fuzzing/dpp-uri/../../../src/utils/common.h	8
tests/fuzzing/dpp-uri/../../../src/crypto/aes-siv.c	7
tests/fuzzing/dpp-uri/../../../src/crypto/aes-ctr.c	1
src/common/gas.c	2
src/common/../utils/wpabuf.h	1
tests/fuzzing/dpp-uri/../../../src/common/dpp_auth.c	14
tests/fuzzing/dpp-uri/../../../src/common/dpp_backup.c	17
tests/fuzzing/dpp-uri/../../../src/common/dpp_reconfig.c	5
tests/fuzzing/dpp-uri/../../../src/common/dpp_pkex.c	11
tests/fuzzing/dpp-uri/../../../src/tls/asn1.c	22
tests/fuzzing/dpp-uri/../../../src/tls/asn1.h	7
/usr/include/openssl/x509.h	2

Fuzzer: pasn-init

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	795	68.1%
gold	[1:9]	25	2.14%
yellow	[10:29]	17	1.45%
greenyellow	[30:49]	3	0.25%
lawngreen	50+	327	28.0%
All colors	1167	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
952	952	5 : View List ['wpa_key_mgmt_ft.1746', 'pmksa_cache_get', 'pmksa_cache_add', 'wpas_pasn_wd_fils_rx', 'wpas_pasn_wd_sae_rx']	952	952	wpas_pasn_set_pmk	call site: 00761	/src/hostap/tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c:843
71	71	1 : View List ['wpa_ltf_keyseed']	782	1022	wpa_pasn_auth_rx	call site: 01066	/src/hostap/tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c:1319
67	67	2 : View List ['WPA_GET_BE32.1505', 'wpa_parse_wpa_ie_wpa']	67	295	wpa_parse_wpa_ie	call site: 00606	/src/hostap/tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c:31
42	42	1 : View List ['sha384_vector']	42	42	pasn_auth_frame_hash	call site: 00526	/src/hostap/tests/fuzzing/pasn-resp/../../../src/common/wpa_common.c:1732
36	36	1 : View List ['sha384_prf']	36	192	pasn_pmk_to_ptk	call site: 01052	/src/hostap/tests/fuzzing/pasn-resp/../../../src/common/wpa_common.c:1513
24	24	1 : View List ['sae_deinit_pt']	24	31	wpa_pasn_reset	call site: 01159	/src/hostap/tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c:794
21	21	1 : View List ['hmac_sha384']	21	48	pasn_mic	call site: 01096	/src/hostap/tests/fuzzing/pasn-resp/../../../src/common/wpa_common.c:1694
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00198	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
4	8	3 : View List ['ERR_error_string', 'ERR_get_error', 'wpabuf_free']	16	20	crypto_ecdh_set_peerkey	call site: 00737	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:3067
4	4	2 : View List ['ERR_error_string', 'ERR_get_error']	10	14	crypto_ecdh_get_pubkey	call site: 00094	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2920
4	4	2 : View List ['BN_num_bits', 'BN_bn2bin']	4	4	crypto_bignum_to_bin	call site: 00099	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2055
2	2	1 : View List ['BN_new']	14	111	crypto_ecdh_get_pubkey	call site: 00091	/src/hostap/tests/fuzzing/sae/../../../src/crypto/crypto_openssl.c:2911

Runtime coverage analysis

Covered functions

101

Functions that are reachable but not covered

192

Reachable functions

292

Percentage of reachable functions covered

34.25%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/pasn-init/pasn-init.c	1
tests/fuzzing/pasn-init/../fuzzer-common.c	1
tests/fuzzing/pasn-init/../../../src/utils/os_unix.c	7
tests/fuzzing/pasn-init/../../../src/utils/common.c	7
tests/fuzzing/pasn-init/../../../src/pasn/pasn_initiator.c	16
tests/fuzzing/pasn-init/../../../src/common/dragonfly.c	3
tests/fuzzing/pasn-init/../../../src/utils/wpa_debug.c	7
tests/fuzzing/pasn-init/../../../src/common/ieee802_11_common.c	9
tests/fuzzing/pasn-init/../../../src/crypto/crypto_openssl.c	46
tests/fuzzing/pasn-init/../../../src/utils/wpabuf.c	7
tests/fuzzing/pasn-init/../../../src/utils/wpabuf.h	11
tests/fuzzing/pasn-init/../../../src/common/wpa_common.c	29
tests/fuzzing/pasn-init/../../../src/common/defs.h	4
tests/fuzzing/pasn-init/../../../src/rsn_supp/pmksa_cache.c	2
tests/fuzzing/pasn-init/../../../src/common/sae.c	41
tests/fuzzing/pasn-init/../../../src/crypto/dh_groups.c	1
tests/fuzzing/pasn-init/../../../src/utils/common.h	6
tests/fuzzing/pasn-init/../../../src/utils/wpa_debug.h	1
tests/fuzzing/pasn-init/../../../src/eapol_supp/eapol_supp_sm.h	4
tests/fuzzing/pasn-init/../../../src/common/ieee802_11_common.h	1
tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c	1
tests/fuzzing/pasn-init/../../../src/crypto/sha256-prf.c	2
tests/fuzzing/pasn-init/../../../src/crypto/sha384-prf.c	2
tests/fuzzing/pasn-init/../../../src/pasn/pasn_common.c	1

Fuzzer: tls-client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	673	38.1%
gold	[1:9]	86	4.87%
yellow	[10:29]	108	6.11%
greenyellow	[30:49]	50	2.83%
lawngreen	50+	848	48.0%
All colors	1765	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1377	1377	1 : View List ['tls_process_certificate_status']	1377	1377	tls_process_server_key_exchange	call site: 00418	/src/hostap/src/tls/tlsv1_client_read.c:1063
369	393	5 : View List ['bignum_mul', 'bignum_add', 'bignum_mulmod', 'bignum_init', 'bignum_sub']	369	1062	crypto_rsa_exptmod	call site: 00915	/src/hostap/src/tls/rsa.c:277
236	282	6 : View List ['wpabuf_free', 'wpabuf_put', 'wpabuf_mhead', 'wpabuf_alloc', 'wpabuf_size', 'tlsv1_server_decrypt']	236	282	tls_connection_decrypt2	call site: 01687	/src/hostap/src/crypto/tls_internal.c:616
221	221	1 : View List ['tlsv1_server_deinit']	221	221	tls_connection_deinit	call site: 01736	/src/hostap/src/crypto/tls_internal.c:159
211	211	1 : View List ['tlsv1_server_encrypt']	211	257	tls_connection_encrypt	call site: 01653	/src/hostap/src/crypto/tls_internal.c:558
141	141	2 : View List ['free', 'tlsv1_server_init']	141	141	tls_connection_init	call site: 00112	/src/hostap/src/crypto/tls_internal.c:115
82	82	2 : View List ['x509_certificate_get_subject', 'x509_certificate_self_signed']	82	82	tls_client_cert_chain_der_len	call site: 01478	/src/hostap/src/tls/tlsv1_client_write.c:29
39	39	1 : View List ['mp_reduce_2k_setup_l']	39	392	s_mp_exptmod	call site: 00929	/src/hostap/src/tls/./libtommath.c:1928
13	13	2 : View List ['__ctype_b_loc', 'wpa_debug_print_timestamp']	13	13	_wpa_hexdump_ascii	call site: 00570	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:423
12	76	3 : View List ['free', 'x509_certificate_chain_free', 'crypto_private_key_free']	12	76	tlsv1_cred_free	call site: 01743	/src/hostap/src/tls/tlsv1_cred.c:31
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00132	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
4	4	1 : View List ['realloc']	4	4	wpabuf_resize	call site: 00220	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpabuf.c:69

Runtime coverage analysis

Covered functions

295

Functions that are reachable but not covered

88

Reachable functions

379

Percentage of reachable functions covered

76.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/tls-client/tls-client.c	2
tests/fuzzing/tls-client/../fuzzer-common.c	1
src/crypto/tls_internal.c	11
src/tls/tlsv1_client.c	14
src/crypto/crypto_internal.c	5
src/tls/tlsv1_server.c	11
src/utils/os_unix.c	7
src/tls/tlsv1_common.c	13
src/crypto/md5-internal.c	5
src/utils/common.c	4
src/crypto/sha1-internal.c	5
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/sha384-internal.c	4
src/crypto/sha512-internal.c	5
src/utils/wpa_debug.c	7
src/crypto/../utils/wpabuf.h	4
src/tls/tlsv1_client_write.c	13
src/tls/../utils/common.h	5
src/tls/tlsv1_record.c	5
src/crypto/crypto_internal-cipher.c	4
src/crypto/rc4.c	1
src/crypto/aes-internal-enc.c	4
src/crypto/./aes_i.h	1
src/crypto/des-internal.c	9
src/utils/wpabuf.c	7
src/tls/../utils/wpabuf.h	4
src/utils/./wpabuf.h	4
src/crypto/aes-internal-dec.c	5
src/tls/tlsv1_client_read.c	17
src/crypto/sha256-tlsprf.c	1
src/crypto/sha256.c	2
src/crypto/sha1-tlsprf.c	1
src/crypto/md5.c	2
src/crypto/sha1.c	2
src/tls/tlsv1_client_ocsp.c	7
src/tls/asn1.c	10
src/tls/./asn1.h	13
src/tls/../utils/os.h	1
src/tls/x509v3.c	59
src/crypto/crypto_internal-rsa.c	7
src/tls/rsa.c	5
src/tls/bignum.c	11
src/tls/./libtommath.c	41
src/tls/pkcs1.c	3
src/crypto/aes-internal.c	1
src/crypto/crypto_internal-modexp.c	1
tests/fuzzing/tls-client/../../../src/utils/common.h	1
tests/fuzzing/tls-client/../../../src/utils/wpabuf.h	4
tests/fuzzing/tls-client/../../../src/utils/wpa_debug.h	1
src/tls/tlsv1_cred.c	1

Fuzzer: eapol-key-supp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1581	77.9%
gold	[1:9]	20	0.98%
yellow	[10:29]	16	0.78%
greenyellow	[30:49]	4	0.19%
lawngreen	50+	407	20.0%
All colors	2028	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2181	2181	1 : View List ['wpa_sm_rx_eapol_wpa']	2181	2187	wpa_sm_rx_eapol	call site: 01072	/src/hostap/src/rsn_supp/wpa.c:3985
1485	2262	3 : View List ['wpa_ft_prepare_auth_request', 'eapol_sm_notify_portValid', 'wpa_supplicant_key_neg_complete']	1485	2557	wpa_sm_notify_assoc	call site: 00839	/src/hostap/src/rsn_supp/wpa.c:4487
1025	1025	1 : View List ['rsn_preauth_deinit']	2510	3588	wpa_sm_notify_assoc	call site: 00229	/src/hostap/src/rsn_supp/wpa.c:4483
827	827	2 : View List ['eap_notify_lower_layer_success', 'eapol_sm_step']	827	827	eapol_sm_notify_lower_layer_success	call site: 01063	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1836
774	774	1 : View List ['eapol_sm_step']	774	774	eapol_sm_notify_portValid	call site: 00825	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1488
523	523	1 : View List ['wpa_supplicant_process_mlo_1_of_2']	523	529	wpa_sm_rx_eapol	call site: 01895	/src/hostap/src/rsn_supp/wpa.c:4128
233	233	1 : View List ['wpa_derive_ptk_ft']	233	233	wpa_derive_ptk	call site: 01441	/src/hostap/src/rsn_supp/wpa.c:724
146	146	1 : View List ['wpa_supplicant_pairwise_mlo_gtk']	1663	1743	wpa_supplicant_process_3_of_4	call site: 01791	/src/hostap/src/rsn_supp/wpa.c:2946
61	61	1 : View List ['wpa_sm_set_ap_wpa_ie']	61	61	supp_get_beacon_ie	call site: 00000	/src/hostap/tests/fuzzing/eapol-key-supp/eapol-key-supp.c:169
50	50	1 : View List ['wpa_gen_wpa_ie_wpa']	50	50	wpa_gen_wpa_ie	call site: 00181	/src/hostap/tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c:287
48	48	1 : View List ['wpa_supplicant_activate_ptk']	1854	2789	wpa_supplicant_process_3_of_4	call site: 01780	/src/hostap/src/rsn_supp/wpa.c:2929
48	48	1 : View List ['wpa_insert_pmkid']	48	445	wpa_supplicant_send_2_of_4	call site: 01553	/src/hostap/src/rsn_supp/wpa.c:545

Runtime coverage analysis

Covered functions

165

Functions that are reachable but not covered

334

Reachable functions

490

Percentage of reachable functions covered

31.84%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eapol-key-supp/eapol-key-supp.c	6
tests/fuzzing/eapol-key-supp/../fuzzer-common.c	1
src/utils/os_unix.c	9
src/utils/eloop.c	18
src/utils/./list.h	5
src/utils/wpa_debug.c	8
src/rsn_supp/wpa.c	76
src/rsn_supp/../utils/list.h	3
src/rsn_supp/pmksa_cache.c	12
src/utils/./os.h	4
src/utils/common.c	4
src/rsn_supp/./wpa_i.h	21
src/rsn_supp/../common/defs.h	8
src/rsn_supp/../common/wpa_common.h	3
src/common/wpa_common.c	32
src/common/./defs.h	7
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/rsn_supp/../utils/common.h	8
src/eapol_supp/eapol_supp_sm.c	50
src/rsn_supp/wpa_ie.c	5
src/rsn_supp/preauth.c	6
src/utils/wpabuf.c	6
src/eap_peer/eap.c	62
src/eapol_supp/../utils/wpabuf.h	2
src/eap_peer/../utils/wpabuf.h	7
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/eap_peer/../utils/common.h	4
src/utils/./wpabuf.h	5
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	6
src/eap_common/../utils/common.h	4
src/eap_peer/eap_methods.c	2
src/crypto/tls_internal.c	2
src/tls/tlsv1_client.c	2
src/crypto/crypto_internal.c	2
src/tls/tlsv1_server.c	2
src/tls/tlsv1_cred.c	1
src/tls/x509v3.c	3
src/crypto/crypto_internal-rsa.c	1
src/tls/rsa.c	1
src/tls/bignum.c	1
src/tls/./libtommath.c	1
src/l2_packet/l2_packet_linux.c	3
src/l2_packet/../utils/common.h	2
src/eap_peer/../utils/list.h	1
src/rsn_supp/wpa_ft.c	6
src/common/ieee802_11_common.c	4
src/common/../utils/wpabuf.h	2
src/crypto/aes-omac1.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/rsn_supp/tdls.c	21
src/rsn_supp/../rsn_supp/wpa_i.h	4
tests/fuzzing/eapol-key-supp/../../../src/utils/common.h	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/common/../utils/common.h	5
src/common/../utils/os.h	1
src/crypto/sha256-prf.c	2
src/crypto/sha1-prf.c	1
src/crypto/rc4.c	1
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5

Fuzzer: eapol-supp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1315	69.1%
gold	[1:9]	37	1.94%
yellow	[10:29]	25	1.31%
greenyellow	[30:49]	20	1.05%
lawngreen	50+	504	26.5%
All colors	1901	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2181	2181	1 : View List ['wpa_sm_rx_eapol_wpa']	2181	2187	wpa_sm_rx_eapol	call site: 00645	/src/hostap/src/rsn_supp/wpa.c:3985
2091	2091	1 : View List ['wpa_supplicant_process_3_of_4']	2091	2097	wpa_sm_rx_eapol	call site: 01568	/src/hostap/src/rsn_supp/wpa.c:4112
778	778	1 : View List ['eapol_sm_abort_cached']	778	1600	eapol_sm_rx_eapol	call site: 00592	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1370
233	233	1 : View List ['wpa_derive_ptk_ft']	233	233	wpa_derive_ptk	call site: 01115	/src/hostap/src/rsn_supp/wpa.c:724
128	128	1 : View List ['wpa_sm_tptk_to_ptk']	132	443	wpa_supplicant_verify_eapol_key_mic	call site: 00653	/src/hostap/src/rsn_supp/wpa.c:3476
89	210	7 : View List ['eap_update_len', 'eap_sm_build_expanded_nak', 'wpabuf_put_u8.1550', 'wpa_hexdump', 'eap_msg_alloc', 'wpabuf_put', 'eap_allowed_method']	89	210	eap_sm_buildNak	call site: 00421	/src/hostap/src/eap_peer/eap.c:1460
76	76	3 : View List ['free', 'x509_certificate_chain_free', 'crypto_private_key_free']	76	76	tlsv1_cred_free	call site: 01448	/src/hostap/src/tls/tlsv1_cred.c:31
70	70	2 : View List ['wpabuf_put_be32', 'wpabuf_put_be24']	70	70	eap_msg_alloc	call site: 00351	/src/hostap/tests/fuzzing/eap-mschapv2-peer/../../../src/eap_common/eap_common.c:146
53	827	2 : View List ['eap_notify_lower_layer_success', 'eapol_sm_step']	53	827	eapol_sm_notify_lower_layer_success	call site: 00636	/src/hostap/src/eapol_supp/eapol_supp_sm.c:1836
50	50	1 : View List ['wpa_gen_wpa_ie_wpa']	50	50	wpa_gen_wpa_ie	call site: 00544	/src/hostap/tests/fuzzing/pasn-init/../../../src/rsn_supp/wpa_ie.c:287
48	48	1 : View List ['wpa_insert_pmkid']	48	445	wpa_supplicant_send_2_of_4	call site: 01228	/src/hostap/src/rsn_supp/wpa.c:545
47	84	2 : View List ['wpa_msg', 'sm_EAP_FAILURE_Enter']	47	84	sm_EAP_Step	call site: 00185	/src/hostap/src/eap_peer/eap.c:1370

Runtime coverage analysis

Covered functions

223

Functions that are reachable but not covered

248

Reachable functions

458

Percentage of reachable functions covered

45.85%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eapol-supp/eapol-supp.c	4
tests/fuzzing/eapol-supp/../fuzzer-common.c	1
src/utils/os_unix.c	9
src/utils/eloop.c	18
src/utils/./list.h	5
src/utils/wpa_debug.c	8
src/rsn_supp/wpa.c	73
src/rsn_supp/../utils/list.h	3
src/rsn_supp/pmksa_cache.c	12
src/utils/./os.h	4
src/utils/common.c	4
src/rsn_supp/./wpa_i.h	21
src/eapol_supp/eapol_supp_sm.c	50
src/eap_peer/eap.c	62
src/eap_peer/../utils/list.h	1
src/crypto/tls_internal.c	2
src/tls/tlsv1_client.c	2
src/crypto/crypto_internal.c	2
src/tls/tlsv1_server.c	2
src/utils/wpabuf.c	6
src/eapol_supp/../utils/wpabuf.h	2
src/eap_peer/../utils/wpabuf.h	7
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/crypto/sha1-internal.c	5
src/eap_peer/../utils/common.h	4
src/utils/./wpabuf.h	5
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	6
src/eap_common/../utils/common.h	4
src/eap_peer/eap_methods.c	2
src/rsn_supp/wpa_ie.c	5
src/rsn_supp/../utils/common.h	7
src/common/wpa_common.c	32
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/crypto/sha1.c	2
src/crypto/aes-omac1.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/common/../utils/common.h	5
src/rsn_supp/../common/wpa_common.h	3
src/common/../utils/os.h	1
src/rsn_supp/../common/defs.h	8
src/common/./defs.h	7
src/rsn_supp/wpa_ft.c	5
src/crypto/sha256-prf.c	2
src/common/ieee802_11_common.c	4
src/crypto/sha1-prf.c	1
src/crypto/rc4.c	1
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
src/rsn_supp/preauth.c	6
src/l2_packet/l2_packet_linux.c	3
src/l2_packet/../utils/common.h	2
src/tls/tlsv1_cred.c	1
src/tls/x509v3.c	3
src/crypto/crypto_internal-rsa.c	1
src/tls/rsa.c	1
src/tls/bignum.c	1
src/tls/./libtommath.c	1
src/common/../utils/wpabuf.h	2

Fuzzer: p2p

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1404	59.8%
gold	[1:9]	139	5.92%
yellow	[10:29]	78	3.32%
greenyellow	[30:49]	75	3.19%
lawngreen	50+	651	27.7%
All colors	2347	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1109	3152	10 : View List ['p2p_parse', 'p2p_channel_to_freq', 'p2p_channels_intersect', 'p2p_invite_send', 'p2p_check_pref_chan', 'p2p_set_state', 'p2p_clear_timeout', 'p2p_peer_channels_check', 'p2p_channel_random_social', 'p2p_parse_free']	1109	3177	p2p_process_invitation_resp	call site: 01742	/src/hostap/src/p2p/p2p_invitation.c:505
1080	1080	1 : View List ['p2p_go_neg_failed']	1080	1104	p2p_device_free	call site: 00365	/src/hostap/src/p2p/p2p.c:946
565	907	14 : View List ['p2p_buf_add_operating_channel', 'p2p_buf_add_persistent_group_info', 'p2p_buf_add_connection_capability', 'p2p_buf_add_channel_list', 'p2p_buf_add_feature_capability', 'p2ps_add_new_group_info', 'p2p_buf_add_intended_addr', 'is_p2p_6ghz_capable', 'is_zero_ether_addr.1253', 'p2p_buf_add_device_info', 'p2p_is_peer_6ghz_capab', 'p2p_buf_add_session_id', 'p2p_buf_add_capability', 'p2p_buf_add_config_timeout']	617	1131	p2p_build_prov_disc_resp	call site: 01881	/src/hostap/src/p2p/p2p_pd.c:394
384	409	10 : View List ['os_snprintf_error.602', 'is_6ghz_freq', 'p2p_dbg', 'p2p_channels_includes', 'is_p2p_6ghz_capable', 'p2p_check_pref_chan_recv', 'p2p_is_peer_6ghz_capab', 'p2p_pref_freq_allowed', 'p2p_check_pref_chan_no_recv', 'p2p_freq_to_channel']	384	409	p2p_check_pref_chan	call site: 01434	/src/hostap/src/p2p/p2p_go_neg.c:732
129	129	1 : View List ['p2p_buf_add_service_instance']	129	129	p2p_build_probe_resp_ies	call site: 00965	/src/hostap/src/p2p/p2p.c:2385
121	1585	8 : View List ['p2p_parse', 'p2p_parse_free', 'wpabuf_head', 'p2p_send_action', 'wpabuf_free', 'p2p_build_presence_resp', 'wpabuf_len', 'p2p_group_presence_req']	121	1600	p2p_process_presence_req	call site: 02202	/src/hostap/src/p2p/p2p.c:4743
116	131	2 : View List ['p2p_pref_channel_filter', 'p2p_channels_dump']	206	717	p2p_build_go_neg_resp	call site: 01492	/src/hostap/src/p2p/p2p_go_neg.c:371
78	1166	7 : View List ['wpabuf_head.1450', 'p2p_build_gas_comeback_resp', 'wpabuf_len.1451', 'p2p_send_action', 'wpabuf_free', 'wpabuf_head_u8.1486', 'ether_addr_equal.1461']	78	1191	p2p_rx_gas_comeback_req	call site: 02119	/src/hostap/src/p2p/p2p_sd.c:648
64	64	1 : View List ['p2p_buf_add_group_id']	77	173	p2p_build_invitation_resp	call site: 01723	/src/hostap/src/p2p/p2p_invitation.c:168
53	53	1 : View List ['p2p_freq_to_channel']	53	228	p2p_process_invitation_req	call site: 01688	/src/hostap/src/p2p/p2p_invitation.c:305
52	52	1 : View List ['p2p_buf_add_advertisement_id']	52	138	p2p_build_prov_disc_resp	call site: 01902	/src/hostap/src/p2p/p2p_pd.c:489
46	46	1 : View List ['p2p_buf_add_group_bssid']	123	219	p2p_build_invitation_resp	call site: 01722	/src/hostap/src/p2p/p2p_invitation.c:165

Runtime coverage analysis

Covered functions

216

Functions that are reachable but not covered

168

Reachable functions

376

Percentage of reachable functions covered

55.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/p2p/p2p.c	3
tests/fuzzing/p2p/../fuzzer-common.c	1
src/utils/os_unix.c	7
src/utils/eloop.c	11
src/utils/./list.h	5
src/utils/wpa_debug.c	6
src/p2p/p2p.c	85
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	3
src/p2p/../utils/list.h	3
src/p2p/p2p_utils.c	20
src/p2p/../utils/os.h	4
src/utils/./os.h	2
src/p2p/p2p_parse.c	8
src/common/ieee802_11_common.c	20
src/common/../utils/common.h	3
src/common/./ieee802_11_common.h	1
src/utils/wpabuf.c	8
src/common/../utils/wpabuf.h	8
src/utils/./wpabuf.h	6
src/wps/wps_attr_parse.c	5
src/wps/../utils/wpabuf.h	7
src/wps/../utils/common.h	5
src/wps/../utils/wpa_debug.h	1
src/p2p/../utils/common.h	12
src/wps/wps_common.c	1
src/wps/../utils/os.h	1
src/p2p/../utils/wpabuf.h	13
src/utils/common.c	7
src/p2p/../utils/wpa_debug.h	1
src/p2p/p2p_pd.c	22
src/p2p/p2p_build.c	36
src/p2p/p2p_sd.c	14
src/common/gas.c	11
src/p2p/p2p_go_neg.c	19
src/wps/wps_attr_build.c	3
src/p2p/p2p_invitation.c	6
src/p2p/p2p_group.c	8
src/p2p/p2p_dev_disc.c	5

Fuzzer: eapol-key-auth

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1111	70.1%
gold	[1:9]	4	0.25%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	469	29.6%
All colors	1584	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
86	86	2 : View List ['sm_WPA_PTK_GROUP_KEYERROR_Enter', 'sm_WPA_PTK_GROUP_REKEYESTABLISHED_Enter']	1649	1649	sm_WPA_PTK_GROUP_Step	call site: 00217	/src/hostap/src/ap/wpa_auth.c:5623
67	67	1 : View List ['wpa_parse_wpa_ie_wpa']	250	367	wpa_validate_wpa_ie	call site: 01135	/src/hostap/src/ap/wpa_auth_ie.c:851
63	108	3 : View List ['wpa_auth_logger', 'eloop_deplete_timeout', 'eloop_register_timeout']	63	1220	wpa_auth_sta_deinit	call site: 01297	/src/hostap/src/ap/wpa_auth.c:1150
50	50	1 : View List ['wpa_write_wpa_ie']	220	241	wpa_auth_gen_wpa_ie	call site: 00063	/src/hostap/src/ap/wpa_auth_ie.c:656
48	48	1 : View List ['wpa_insert_pmkid']	79	1724	sm_WPA_PTK_PTKINITNEGOTIATING_Enter	call site: 00930	/src/hostap/src/ap/wpa_auth.c:4980
45	45	1 : View List ['sm_WPA_PTK_INITPMK_Enter']	45	45	sm_WPA_PTK_Step	call site: 00486	/src/hostap/src/ap/wpa_auth.c:5304
36	36	1 : View List ['sha256_prf']	36	225	wpa_pmk_to_ptk	call site: 00628	/src/hostap/src/common/wpa_common.c:513
31	31	2 : View List ['wpa_write_ftie', 'WPA_PUT_LE32']	31	1624	sm_WPA_PTK_PTKINITNEGOTIATING_Enter	call site: 00946	/src/hostap/src/ap/wpa_auth.c:5012
26	26	1 : View List ['wpa_group_free']	26	26	wpa_group_put	call site: 00383	/src/hostap/src/ap/wpa_auth.c:6837
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00094	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
5	20	3 : View List ['WPA_GET_BE32.719', 'rsn_selector_to_bitfield', 'wpa_cipher_valid_mgmt_group']	5	41	wpa_parse_wpa_ie_rsn	call site: 00785	/src/hostap/src/common/wpa_common.c:2009
3	3	1 : View List ['wpa_write_mdie']	223	244	wpa_auth_gen_wpa_ie	call site: 00062	/src/hostap/src/ap/wpa_auth_ie.c:648

Runtime coverage analysis

Covered functions

204

Functions that are reachable but not covered

208

Reachable functions

392

Percentage of reachable functions covered

46.94%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/eapol-key-auth/eapol-key-auth.c	4
tests/fuzzing/eapol-key-auth/../fuzzer-common.c	1
src/utils/os_unix.c	8
src/utils/eloop.c	12
src/utils/./list.h	5
src/utils/wpa_debug.c	8
src/ap/wpa_auth.c	95
src/ap/wpa_auth_ie.c	13
src/ap/../utils/common.h	7
src/common/wpa_common.c	41
src/common/../utils/common.h	5
src/ap/../common/defs.h	11
src/ap/wpa_auth_ft.c	62
src/utils/common.c	5
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
src/crypto/sha1-prf.c	1
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/ap/./wpa_auth.h	1
src/common/./defs.h	7
src/crypto/aes-wrap.c	1
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/crypto/rc4.c	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/crypto/aes-omac1.c	4
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/utils/./os.h	3
src/utils/wpabuf.c	7
src/common/ieee802_11_common.c	10
src/crypto/sha256-prf.c	2
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
src/common/../utils/os.h	1
src/ap/../utils/list.h	4
src/crypto/aes-siv.c	6
src/crypto/aes-ctr.c	1
src/ap/pmksa_cache_auth.c	10
src/radius/radius.c	2
src/ap/../common/wpa_common.h	2
src/utils/./wpabuf.h	5
src/radius/../utils/os.h	1
src/ap/../utils/wpabuf.h	2
src/common/./ieee802_11_common.h	1
src/common/../utils/wpabuf.h	3

Fuzzer: ap-mgmt

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3745	94.7%
gold	[1:9]	1	0.02%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	207	5.23%
All colors	3953	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
30372	30372	12 : View List ['handle_deauth', 'handle_assoc', 'ether_addr_equal.3926', 'handle_action', 'handle_disassoc', 'sta_track_add', 'handle_probe_req', 'is_broadcast_ether_addr.4008', 'wpa_msg', 'notify_mgmt_frame', 'hostapd_logger', 'handle_auth']	30372	30372	ieee802_11_mgmt	call site: 02916	/src/hostap/src/ap/ieee802_11.c:6617
4795	4795	1 : View List ['hostapd_prune_associations']	4795	4795	ap_sta_set_authorized_flag	call site: 00538	/src/hostap/src/ap/sta_info.c:1542
57	62	2 : View List ['hostapd_drv_sta_remove', 'vlan_remove_dynamic']	63	113	ap_free_sta	call site: 00537	/src/hostap/src/ap/sta_info.c:374
54	54	1 : View List ['radius_client_flush_auth']	174	224	ap_free_sta	call site: 00537	/src/hostap/src/ap/sta_info.c:362
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00783	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
5	5	1 : View List ['hostapd_drv_br_delete_ip_neigh']	179	15390	ap_free_sta	call site: 00537	/src/hostap/src/ap/sta_info.c:243
2	2	1 : View List ['alarm']	2	2	eloop_process_pending_signals	call site: 03878	/src/hostap/tests/fuzzing/pasn-resp/../../../src/utils/eloop.c:1007
2	2	1 : View List ['clock_gettime']	2	2	os_get_reltime	call site: 00050	/src/hostap/tests/fuzzing/asn1/../../../src/utils/os_unix.c:94
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	1292	1 : View List ['ieee802_11_update_beacons']	174	13932	ap_free_sta	call site: 00537	/src/hostap/src/ap/sta_info.c:329
0	21	1 : View List ['wpa_hexdump']	0	21	__ieee802_11_parse_elems	call site: 02595	/src/hostap/src/common/ieee802_11_common.c:699
0	4	2 : View List ['free', 'wpabuf_free']	744	748	ieee802_1x_free_station	call site: 00973	/src/hostap/src/ap/ieee802_1x.c:1494

Runtime coverage analysis

Covered functions

106

Functions that are reachable but not covered

880

Reachable functions

986

Percentage of reachable functions covered

10.75%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/ap-mgmt/ap-mgmt.c	4
tests/fuzzing/ap-mgmt/../fuzzer-common.c	1
src/utils/os_unix.c	11
src/utils/eloop.c	21
src/utils/./list.h	5
src/utils/wpa_debug.c	11
src/ap/ap_config.c	19
src/ap/../utils/os.h	6
src/ap/../utils/list.h	6
src/ap/./ap_config.h	4
src/ap/sta_info.c	44
src/ap/accounting.c	7
src/radius/radius.c	28
src/utils/./os.h	4
src/utils/common.c	13
src/radius/radius_client.c	20
src/utils/wpabuf.c	7
src/radius/../utils/os.h	2
src/utils/./wpabuf.h	5
src/ap/../radius/radius.h	1
src/radius/../utils/wpabuf.h	8
src/ap/ieee802_1x.c	12
src/ap/../utils/common.h	14
src/ap/../common/defs.h	11
src/ap/wpa_auth.c	103
src/common/wpa_common.c	42
src/ap/../utils/wpabuf.h	9
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
src/ap/./ap_drv_ops.h	6
src/utils/ip_addr.c	1
src/crypto/md5-internal.c	5
src/utils/../utils/os.h	2
src/radius/../utils/common.h	3
src/crypto/md5.c	2
src/ap/utils.c	2
src/ap/ap_drv_ops.c	20
src/eapol_auth/eapol_auth_sm.c	36
src/eap_server/eap_server_methods.c	2
src/eapol_auth/../utils/wpabuf.h	2
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	5
src/eap_server/eap_server.c	54
src/eap_server/../utils/wpabuf.h	4
src/eap_server/../utils/common.h	2
src/eap_common/../utils/common.h	2
src/ap/ap_mlme.c	5
src/crypto/sha1-prf.c	1
src/crypto/sha1.c	2
src/crypto/sha1-internal.c	5
src/ap/./wpa_auth.h	1
src/common/./defs.h	7
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/aes-wrap.c	1
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/crypto/rc4.c	1
src/crypto/aes-omac1.c	4
src/ap/wpa_auth_ie.c	10
src/common/ieee802_11_common.c	31
src/crypto/sha256-prf.c	2
src/ap/wpa_auth_ft.c	68
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
src/common/../utils/common.h	7
src/common/../utils/os.h	1
src/crypto/aes-siv.c	6
src/crypto/aes-ctr.c	1
src/ap/ndisc_snoop.c	1
src/ap/ieee802_11_ht.c	14
src/ap/beacon.c	45
src/ap/hostapd.c	3
src/ap/ieee802_11.c	60
src/ap/./ieee802_11.h	3
src/ap/ieee802_11_shared.c	27
src/ap/dfs.c	4
src/ap/wmm.c	10
src/ap/hs20.c	1
src/crypto/sha1-pbkdf2.c	2
src/wps/wps.c	2
src/wps/../utils/wpabuf.h	8
src/wps/../utils/common.h	5
src/wps/wps_attr_build.c	3
src/common/hw_features_common.c	7
src/common/./ieee802_11_common.h	1
src/common/../utils/wpabuf.h	3
src/ap/wps_hostapd.c	2
src/ap/./preauth_auth.h	1
src/ap/vlan_init.c	4
src/ap/gas_serv.c	1
src/ap/ieee802_11_auth.c	7
src/ap/./mbo_ap.h	1
tests/fuzzing/ap-mgmt/../../../src/utils/common.h	1
src/ap/ap_list.c	11
src/ap/hw_features.c	2
src/ap/vlan.c	1
src/ap/vlan_ifconfig.c	3
src/ap/./sta_info.h	2
src/wps/wps_attr_parse.c	5
src/wps/../utils/wpa_debug.h	1
src/ap/../wps/wps.h	1
src/ap/pmksa_cache_auth.c	8
src/ap/../common/wpa_common.h	2
src/common/ptksa_cache.c	4
src/common/../utils/list.h	2
src/ap/rrm.c	14

Fuzzer: wnm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	6249	96.9%
gold	[1:9]	10	0.15%
yellow	[10:29]	22	0.34%
greenyellow	[30:49]	3	0.04%
lawngreen	50+	163	2.52%
All colors	6447	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
955	959	9 : View List ['scan_est_throughput', 'qsort', 'wpa_bss_update_start', 'wpa_bss_update_scan_res', 'wpa_bss_update_end', 'dump_scan_res', 'scan_snr', 'filter_scan_res', 'os_get_reltime']	955	996	wpa_supplicant_get_scan_results	call site: 00550	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/scan.c:3440
18	18	1 : View List ['ieee80211_chan_to_freq_us']	53	96	ieee80211_chan_to_freq	call site: 00524	/src/hostap/src/common/ieee802_11_common.c:2028
15	15	1 : View List ['ieee80211_chan_to_freq_eu']	35	73	ieee80211_chan_to_freq	call site: 00526	/src/hostap/src/common/ieee802_11_common.c:2034
14	14	1 : View List ['ieee80211_chan_to_freq_jp']	20	53	ieee80211_chan_to_freq	call site: 00528	/src/hostap/src/common/ieee802_11_common.c:2040
11	11	1 : View List ['wpa_debug_print_timestamp']	11	11	_wpa_hexdump	call site: 00035	/src/hostap/tests/fuzzing/asn1/../../../src/utils/wpa_debug.c:281
8	8	4 : View List ['free', 'os_calloc.3277', 'add_freq', 'chan_supported']	8	8	wnm_set_scan_freqs	call site: 06402	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.c:1235
6	6	1 : View List ['ieee80211_chan_to_freq_cn']	6	34	ieee80211_chan_to_freq	call site: 00530	/src/hostap/src/common/ieee802_11_common.c:2046
4	4	1 : View List ['wpa_scan_results_free']	4	4	wpa_supplicant_update_scan_results	call site: 00549	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/scan.c:3512
2	2	1 : View List ['alarm']	2	2	eloop_process_pending_signals	call site: 06413	/src/hostap/tests/fuzzing/pasn-resp/../../../src/utils/eloop.c:1007
2	2	1 : View List ['clock_gettime']	2	2	os_get_reltime	call site: 00027	/src/hostap/tests/fuzzing/asn1/../../../src/utils/os_unix.c:94
2	2	1 : View List ['atoi']	2	2	wpa_fuzzer_set_debug_level	call site: 00002	/src/hostap/tests/fuzzing/asn1/../fuzzer-common.c:23
0	0	None	11803	13782	wnm_scan_process	call site: 00794	/src/hostap/tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.c:1015

Runtime coverage analysis

Covered functions

87

Functions that are reachable but not covered

1295

Reachable functions

1382

Percentage of reachable functions covered

6.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzzing/wnm/wnm.c	4
tests/fuzzing/wnm/../fuzzer-common.c	1
src/utils/os_unix.c	12
src/utils/eloop.c	21
src/utils/./list.h	5
src/utils/wpa_debug.c	9
tests/fuzzing/wnm/../../../wpa_supplicant/bss.c	45
tests/fuzzing/wnm/../../../src/utils/list.h	6
src/utils/./os.h	4
tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.c	33
tests/fuzzing/wnm/../../../src/utils/common.h	14
src/rsn_supp/wpa.c	95
src/common/wpa_common.c	39
src/common/../utils/common.h	6
src/utils/common.c	20
src/utils/wpabuf.c	7
tests/fuzzing/wnm/../../../wpa_supplicant/notify.c	41
tests/fuzzing/wnm/../../../wpa_supplicant/dbus/dbus_new.h	13
tests/fuzzing/wnm/../../../src/utils/wpabuf.h	12
src/utils/./wpabuf.h	5
tests/fuzzing/wnm/../../../src/utils/os.h	9
tests/fuzzing/wnm/../../../wpa_supplicant/events.c	96
tests/fuzzing/wnm/../../../wpa_supplicant/bss.h	4
tests/fuzzing/wnm/../../../wpa_supplicant/wpa_supplicant.c	105
src/common/ieee802_11_common.c	42
tests/fuzzing/wnm/../../../wpa_supplicant/bssid_ignore.c	6
tests/fuzzing/wnm/../../../wpa_supplicant/scan.c	63
tests/fuzzing/wnm/../../../src/common/defs.h	9
tests/fuzzing/wnm/../../../wpa_supplicant/wps_supplicant.h	10
src/rsn_supp/wpa_ie.c	6
src/rsn_supp/../utils/common.h	9
tests/fuzzing/wnm/../../../src/drivers/driver_common.c	6
src/common/./ieee802_11_common.h	1
src/common/../utils/wpabuf.h	8
tests/fuzzing/wnm/../../../src/utils/wpa_debug.h	1
src/eap_peer/eap.c	64
tests/fuzzing/wnm/../../../wpa_supplicant/wpa_supplicant_i.h	3
tests/fuzzing/wnm/../../../wpa_supplicant/driver_i.h	32
tests/fuzzing/wnm/../../../wpa_supplicant/p2p_supplicant.h	15
tests/fuzzing/wnm/../../../wpa_supplicant/sme.h	12
tests/fuzzing/wnm/../../../wpa_supplicant/autoscan.h	3
tests/fuzzing/wnm/../../../wpa_supplicant/wmm_ac.c	24
src/eapol_supp/eapol_supp_sm.c	55
src/eapol_supp/../utils/wpabuf.h	2
src/eap_peer/../utils/wpabuf.h	7
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
src/crypto/sha1-internal.c	5
src/eap_peer/../utils/common.h	4
src/eap_common/eap_common.c	4
src/eap_common/../utils/wpabuf.h	6
src/eap_common/../utils/common.h	4
src/eap_peer/eap_methods.c	3
tests/fuzzing/wnm/../../../wpa_supplicant/wnm_sta.h	1
tests/fuzzing/wnm/../../../wpa_supplicant/wpas_glue.c	5
src/rsn_supp/preauth.c	10
src/rsn_supp/../utils/list.h	4
src/rsn_supp/pmksa_cache.c	16
src/rsn_supp/../common/defs.h	9
src/rsn_supp/../common/wpa_common.h	3
src/common/./defs.h	7
src/crypto/sha256.c	2
src/crypto/sha256-internal.c	5
src/crypto/../utils/common.h	4
src/crypto/sha1.c	2
src/rsn_supp/./wpa_i.h	20
src/l2_packet/l2_packet_linux.c	9
src/l2_packet/../utils/common.h	2
src/eap_peer/../utils/list.h	1
src/crypto/tls_internal.c	2
src/tls/tlsv1_client.c	2
src/crypto/crypto_internal.c	2
src/tls/tlsv1_server.c	2
src/tls/tlsv1_cred.c	1
src/tls/x509v3.c	3
src/crypto/crypto_internal-rsa.c	1
src/tls/rsa.c	1
src/tls/bignum.c	1
src/tls/./libtommath.c	1
src/crypto/md5.c	2
src/crypto/md5-internal.c	5
src/crypto/aes-omac1.c	4
src/crypto/aes-internal-enc.c	4
src/crypto/aes-internal.c	1
src/crypto/./aes_i.h	1
src/rsn_supp/tdls.c	22
src/rsn_supp/../rsn_supp/wpa_i.h	4
tests/fuzzing/wnm/../../../wpa_supplicant/rrm.c	30
tests/fuzzing/wnm/../../../wpa_supplicant/hs20_supplicant.c	9
src/utils/bitfield.c	4
tests/fuzzing/wnm/../../../wpa_supplicant/robust_av.c	22
src/common/ptksa_cache.c	4
src/common/../utils/list.h	2
src/crypto/sha1-pbkdf2.c	2
tests/fuzzing/wnm/../../../wpa_supplicant/op_classes.c	11
tests/fuzzing/wnm/../../../wpa_supplicant/config.c	13
src/utils/../utils/os.h	2
src/common/hw_features_common.c	9
tests/fuzzing/wnm/../../../src/rsn_supp/wpa.h	2
tests/fuzzing/wnm/../../../wpa_supplicant/bgscan.h	3
src/utils/crc32.c	1
tests/fuzzing/wnm/../../../wpa_supplicant/interworking.c	60
src/common/gas.c	8
tests/fuzzing/wnm/../../../wpa_supplicant/gas_query.c	22
tests/fuzzing/wnm/../../../wpa_supplicant/offchannel.c	5
src/common/../utils/os.h	1
src/rsn_supp/wpa_ft.c	6
src/crypto/sha256-prf.c	2
src/crypto/sha1-prf.c	1
src/crypto/rc4.c	1
src/crypto/aes-unwrap.c	1
src/crypto/aes-internal-dec.c	5
tests/fuzzing/wnm/../../../wpa_supplicant/mesh_mpm.h	2
tests/fuzzing/wnm/../../../wpa_supplicant/config_file.c	19
src/utils/base64.c	2