Re: [Wireshark-dev] Crash in RDP/EGFX dissector
Hi, Can you try to update the wireshark release ? (using PPA) https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable Cheers On Fri, Jan 13, 2023 at 7:35 PM Cristian Constantin via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > Hi! > > Wireshark crashes while decoding relatively large (~20 MBytes) > captures with RDP traffic. > > Here is how the stack trace looks like (only frames 0-26, since there > are 90 frames in the core dump): > > (gdb) bt > #0 __memmove_avx_unaligned_erms () at > ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:880 > #1 0x7f3f7b0061c7 in memcpy (__len=74141568, __src= out>, __dest=) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > #2 zgfx_write_from_history (count=293605376, distance= out>, zgfx=0x5638bbfd2060) > at ./epan/tvbuff_rdp.c:311 > #3 rdp8_decompress_segment (zgfx=zgfx@entry=0x5638bbfd2060, > tvb=) > at ./epan/tvbuff_rdp.c:441 > #4 0x7f3f7b006657 in rdp8_decompress > (zgfx=0x5638bbfd2060, allocator=0x5638b94b9450, > tvb=tvb@entry=0x5638c20a2d80, offset=1, > offset@entry=0) at ./epan/tvbuff_rdp.c:478 > #5 0x7f3f7b882cdf in dissect_rdp_egfx > (tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788, > parent_tree=0x7f3f68011470, data=) > at ./epan/dissectors/packet-rdp_egfx.c:385 > #6 0x7f3f7afb5558 in call_dissector_through_handle > (handle=handle@entry=0x5638ba6133a0, tvb=tvb@entry=0x5638c20a2d80, > pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eac00, > data=data@entry=0x0) at ./epan/packet.c:757 > #7 0x7f3f7afb642d in call_dissector_work > (handle=0x5638ba6133a0, tvb=0x5638c20a2d80, > pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eac00, add_proto_name=1, > data=0x0) at ./epan/packet.c:850 > #8 0x7f3f7afb8887 in call_dissector_with_data > (handle=, tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788, > tree=0x5638c08eac00, data=) at ./epan/packet.c:3283 > #9 0x7f3f7b8822cc in dissect_rdp_drdynvc > (tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788, parent_tree= out>, data=) > at ./epan/dissectors/packet-rdp_drdynvc.c:438 > #10 0x7f3f7afb5558 in call_dissector_through_handle > (handle=handle@entry=0x5638ba613340, tvb=tvb@entry=0x5638c2013ca0, > pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eab20, > data=data@entry=0x0) at ./epan/packet.c:757 > #11 0x7f3f7afb642d in call_dissector_work > (handle=0x5638ba613340, tvb=0x5638c2013ca0, > pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eab20, add_proto_name=1, > data=0x0) at ./epan/packet.c:850 > #12 0x7f3f7afb8887 in call_dissector_with_data > (handle=, tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788, > tree=0x5638c08eab20, data=) at ./epan/packet.c:3283 > #13 0x7f3f7b87ed63 in dissect_rdp_channelPDU > (tree=0x5638c08eab20, pinfo=, offset= out>, tvb=0x5638c1ef3e80) > at ./epan/dissectors/packet-rdp.c:1399 > #14 dissect_rdp_SendData > (tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x5638c08eab20, > data=) > at ./epan/dissectors/packet-rdp.c:2162 > #15 0x7f3f7afb5558 in call_dissector_through_handle > (handle=handle@entry=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80, > pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x7f3f68011470, > data=data@entry=0x0) at ./epan/packet.c:757 > #16 0x7f3f7afb642d in call_dissector_work > (handle=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80, > pinfo_arg=pinfo_arg@entry=0x7ffc1d3a9788, > tree=tree@entry=0x7f3f68011470, add_proto_name=add_proto_name@entry=1, > data=data@entry=0x0) > at ./epan/packet.c:850 > #17 0x7f3f7afb6fc2 in dissector_try_uint_new > (sub_dissectors=, uint_val=1007, > tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x7f3f68011470, > add_proto_name=add_proto_name@entry=1, data=0x0) at > ./epan/packet.c:1450 > #18 0x7f3f7afb7035 in dissector_try_uint > (sub_dissectors=, uint_val=, > tvb=, pinfo=, tree=) at > ./epan/packet.c:1474 > #19 0x7f3f7bfb3bfa in dissect_t124_T_userData_01 > (tvb=, offset=6616, actx=0x7ffc1d3a7920, > tree=, hf_index=) at > ./asn1/t124/t124.cnf:187 > #20 0x7f3f7b80b792 in dissect_per_sequence > (tvb=0x5638c1f76f70, offset=44, actx=0x7ffc1d3a7920, > parent_tree=, hf_index=, > ett_index=, sequence=0x7f3f7decb5a0 > ) > at ./epan/dissectors/packet-per.c:1925 > #21 0x7f3f7bfb2c4c in dissect_t124_SendDataIndication > --Type for more, q to quit, c to continue without paging-- > (tvb=, offset=, actx= out>, tree=, hf_index=) at > ./asn1/t124/t124.cnf:208 > #22 0x7f3f7b80b394 in dissect_per_choice > (tvb=tvb@entry=0x5638c1f76f70, offset=6, > offset@entry=0, actx=actx@entry=0x7ffc1d3a7920, > tree=tree@entry=0x5638c08ea8b0, hf_index=188090, ett_index=49148, > choice=0x7f3f7deca660 , value=0x7ffc1d3a791c) > at ./epan/dissectors/packet-per.c:1768 > #23 0x7f3f7bfb4570 in dissect_t124_DomainMCSPDU > (offset=0, hf_index=, tree=0x5638c08ea8b0, > actx=0x7ffc1d3a7920, tvb=0x5638c1f76f70) > at ./asn1/t124/t124.cnf:195 > #24 dissect_DomainMCSPDU_PDU >
Re: [Wireshark-dev] Crash in RDP/EGFX dissector
Hi Uli, > > 1. Is this issue known? I tried to look it up on gitlab but I did not > > find anything relevant. Should I file an issue on gitlab? > > Yes, please open a new issue for this using the bug template. Please attach a > sample capture to reproduce the bug. The biggest problem with the capture is that it contains credentials used to log on to the server and I cannot filter out the EGFX traffic because wireshark crashes (90% of the time)... Let me see what I can do. Thanks, Cristian ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Crash in RDP/EGFX dissector
Hi Christian, > 1. Is this issue known? I tried to look it up on gitlab but I did not > find anything relevant. Should I file an issue on gitlab? Yes, please open a new issue for this using the bug template. Please attach a sample capture to reproduce the bug. > 2. Can the EGFX decoder be turned off? I need the decoder for virtual > channels though. Yes. EGFX dissector can be disabled. In the UI: Analyze -> Enabled Protocols -> Search for EGFX Cheers Uli ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Crash in RDP/EGFX dissector
Hi! Wireshark crashes while decoding relatively large (~20 MBytes) captures with RDP traffic. Here is how the stack trace looks like (only frames 0-26, since there are 90 frames in the core dump): (gdb) bt #0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:880 #1 0x7f3f7b0061c7 in memcpy (__len=74141568, __src=, __dest=) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 #2 zgfx_write_from_history (count=293605376, distance=, zgfx=0x5638bbfd2060) at ./epan/tvbuff_rdp.c:311 #3 rdp8_decompress_segment (zgfx=zgfx@entry=0x5638bbfd2060, tvb=) at ./epan/tvbuff_rdp.c:441 #4 0x7f3f7b006657 in rdp8_decompress (zgfx=0x5638bbfd2060, allocator=0x5638b94b9450, tvb=tvb@entry=0x5638c20a2d80, offset=1, offset@entry=0) at ./epan/tvbuff_rdp.c:478 #5 0x7f3f7b882cdf in dissect_rdp_egfx (tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788, parent_tree=0x7f3f68011470, data=) at ./epan/dissectors/packet-rdp_egfx.c:385 #6 0x7f3f7afb5558 in call_dissector_through_handle (handle=handle@entry=0x5638ba6133a0, tvb=tvb@entry=0x5638c20a2d80, pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eac00, data=data@entry=0x0) at ./epan/packet.c:757 #7 0x7f3f7afb642d in call_dissector_work (handle=0x5638ba6133a0, tvb=0x5638c20a2d80, pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eac00, add_proto_name=1, data=0x0) at ./epan/packet.c:850 #8 0x7f3f7afb8887 in call_dissector_with_data (handle=, tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788, tree=0x5638c08eac00, data=) at ./epan/packet.c:3283 #9 0x7f3f7b8822cc in dissect_rdp_drdynvc (tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788, parent_tree=, data=) at ./epan/dissectors/packet-rdp_drdynvc.c:438 #10 0x7f3f7afb5558 in call_dissector_through_handle (handle=handle@entry=0x5638ba613340, tvb=tvb@entry=0x5638c2013ca0, pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eab20, data=data@entry=0x0) at ./epan/packet.c:757 #11 0x7f3f7afb642d in call_dissector_work (handle=0x5638ba613340, tvb=0x5638c2013ca0, pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eab20, add_proto_name=1, data=0x0) at ./epan/packet.c:850 #12 0x7f3f7afb8887 in call_dissector_with_data (handle=, tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788, tree=0x5638c08eab20, data=) at ./epan/packet.c:3283 #13 0x7f3f7b87ed63 in dissect_rdp_channelPDU (tree=0x5638c08eab20, pinfo=, offset=, tvb=0x5638c1ef3e80) at ./epan/dissectors/packet-rdp.c:1399 #14 dissect_rdp_SendData (tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x5638c08eab20, data=) at ./epan/dissectors/packet-rdp.c:2162 #15 0x7f3f7afb5558 in call_dissector_through_handle (handle=handle@entry=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80, pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x7f3f68011470, data=data@entry=0x0) at ./epan/packet.c:757 #16 0x7f3f7afb642d in call_dissector_work (handle=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80, pinfo_arg=pinfo_arg@entry=0x7ffc1d3a9788, tree=tree@entry=0x7f3f68011470, add_proto_name=add_proto_name@entry=1, data=data@entry=0x0) at ./epan/packet.c:850 #17 0x7f3f7afb6fc2 in dissector_try_uint_new (sub_dissectors=, uint_val=1007, tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x7f3f68011470, add_proto_name=add_proto_name@entry=1, data=0x0) at ./epan/packet.c:1450 #18 0x7f3f7afb7035 in dissector_try_uint (sub_dissectors=, uint_val=, tvb=, pinfo=, tree=) at ./epan/packet.c:1474 #19 0x7f3f7bfb3bfa in dissect_t124_T_userData_01 (tvb=, offset=6616, actx=0x7ffc1d3a7920, tree=, hf_index=) at ./asn1/t124/t124.cnf:187 #20 0x7f3f7b80b792 in dissect_per_sequence (tvb=0x5638c1f76f70, offset=44, actx=0x7ffc1d3a7920, parent_tree=, hf_index=, ett_index=, sequence=0x7f3f7decb5a0 ) at ./epan/dissectors/packet-per.c:1925 #21 0x7f3f7bfb2c4c in dissect_t124_SendDataIndication --Type for more, q to quit, c to continue without paging-- (tvb=, offset=, actx=, tree=, hf_index=) at ./asn1/t124/t124.cnf:208 #22 0x7f3f7b80b394 in dissect_per_choice (tvb=tvb@entry=0x5638c1f76f70, offset=6, offset@entry=0, actx=actx@entry=0x7ffc1d3a7920, tree=tree@entry=0x5638c08ea8b0, hf_index=188090, ett_index=49148, choice=0x7f3f7deca660 , value=0x7ffc1d3a791c) at ./epan/dissectors/packet-per.c:1768 #23 0x7f3f7bfb4570 in dissect_t124_DomainMCSPDU (offset=0, hf_index=, tree=0x5638c08ea8b0, actx=0x7ffc1d3a7920, tvb=0x5638c1f76f70) at ./asn1/t124/t124.cnf:195 #24 dissect_DomainMCSPDU_PDU (tvb=tvb@entry=0x5638c1f76f70, pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08ea8b0) at ./asn1/t124/packet-t124-template.c:102 #25 0x7f3f7bfb4b71 in dissect_t125 (tvb=tvb@entry=0x5638c1f76f70, pinfo=pinfo@entry=0x7ffc1d3a9788, parent_tree=parent_tree@entry=0x7f3f68011470, data=data@entry=0x0) at ./asn1/t125/packet-t125-template.c:78 #26 0x7f3f7bfb4dcc in dissect_t125_heur Details about frames 2, 3: (gdb) f 2 #2 zgfx_write_from_history
