subject:"Re\: \[Wireshark\-dev\] Crash in RDP\/EGFX dissector"

Re: [Wireshark-dev] Crash in RDP/EGFX dissector

2023-01-19 Thread Alexis La Goutte

Hi,

Can you try to update the wireshark release ? (using PPA)
https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable

Cheers


On Fri, Jan 13, 2023 at 7:35 PM Cristian Constantin via Wireshark-dev <
wireshark-dev@wireshark.org> wrote:

> Hi!
>
> Wireshark crashes while decoding relatively large (~20 MBytes)
> captures with RDP traffic.
>
> Here is how the stack trace looks like (only frames 0-26, since there
> are 90 frames in the core dump):
>
> (gdb) bt
> #0  __memmove_avx_unaligned_erms () at
> ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:880
> #1  0x7f3f7b0061c7 in memcpy (__len=74141568, __src= out>, __dest=)
> at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> #2  zgfx_write_from_history (count=293605376, distance= out>, zgfx=0x5638bbfd2060)
> at ./epan/tvbuff_rdp.c:311
> #3  rdp8_decompress_segment (zgfx=zgfx@entry=0x5638bbfd2060,
> tvb=)
> at ./epan/tvbuff_rdp.c:441
> #4  0x7f3f7b006657 in rdp8_decompress
> (zgfx=0x5638bbfd2060, allocator=0x5638b94b9450,
> tvb=tvb@entry=0x5638c20a2d80, offset=1,
> offset@entry=0) at ./epan/tvbuff_rdp.c:478
> #5  0x7f3f7b882cdf in dissect_rdp_egfx
> (tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788,
> parent_tree=0x7f3f68011470, data=)
> at ./epan/dissectors/packet-rdp_egfx.c:385
> #6  0x7f3f7afb5558 in call_dissector_through_handle
> (handle=handle@entry=0x5638ba6133a0, tvb=tvb@entry=0x5638c20a2d80,
> pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eac00,
> data=data@entry=0x0) at ./epan/packet.c:757
> #7  0x7f3f7afb642d in call_dissector_work
> (handle=0x5638ba6133a0, tvb=0x5638c20a2d80,
> pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eac00, add_proto_name=1,
> data=0x0) at ./epan/packet.c:850
> #8  0x7f3f7afb8887 in call_dissector_with_data
> (handle=, tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788,
> tree=0x5638c08eac00, data=) at ./epan/packet.c:3283
> #9  0x7f3f7b8822cc in dissect_rdp_drdynvc
> (tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788, parent_tree= out>, data=)
> at ./epan/dissectors/packet-rdp_drdynvc.c:438
> #10 0x7f3f7afb5558 in call_dissector_through_handle
> (handle=handle@entry=0x5638ba613340, tvb=tvb@entry=0x5638c2013ca0,
> pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eab20,
> data=data@entry=0x0) at ./epan/packet.c:757
> #11 0x7f3f7afb642d in call_dissector_work
> (handle=0x5638ba613340, tvb=0x5638c2013ca0,
> pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eab20, add_proto_name=1,
> data=0x0) at ./epan/packet.c:850
> #12 0x7f3f7afb8887 in call_dissector_with_data
> (handle=, tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788,
> tree=0x5638c08eab20, data=) at ./epan/packet.c:3283
> #13 0x7f3f7b87ed63 in dissect_rdp_channelPDU
> (tree=0x5638c08eab20, pinfo=, offset= out>, tvb=0x5638c1ef3e80)
> at ./epan/dissectors/packet-rdp.c:1399
> #14 dissect_rdp_SendData
> (tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x5638c08eab20,
> data=)
> at ./epan/dissectors/packet-rdp.c:2162
> #15 0x7f3f7afb5558 in call_dissector_through_handle
> (handle=handle@entry=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80,
> pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x7f3f68011470,
> data=data@entry=0x0) at ./epan/packet.c:757
> #16 0x7f3f7afb642d in call_dissector_work
> (handle=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80,
> pinfo_arg=pinfo_arg@entry=0x7ffc1d3a9788,
> tree=tree@entry=0x7f3f68011470, add_proto_name=add_proto_name@entry=1,
> data=data@entry=0x0)
> at ./epan/packet.c:850
> #17 0x7f3f7afb6fc2 in dissector_try_uint_new
> (sub_dissectors=, uint_val=1007,
> tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x7f3f68011470,
> add_proto_name=add_proto_name@entry=1, data=0x0) at
> ./epan/packet.c:1450
> #18 0x7f3f7afb7035 in dissector_try_uint
> (sub_dissectors=, uint_val=,
> tvb=, pinfo=, tree=) at
> ./epan/packet.c:1474
> #19 0x7f3f7bfb3bfa in dissect_t124_T_userData_01
> (tvb=, offset=6616, actx=0x7ffc1d3a7920,
> tree=, hf_index=) at
> ./asn1/t124/t124.cnf:187
> #20 0x7f3f7b80b792 in dissect_per_sequence
> (tvb=0x5638c1f76f70, offset=44, actx=0x7ffc1d3a7920,
> parent_tree=, hf_index=,
> ett_index=, sequence=0x7f3f7decb5a0
> )
> at ./epan/dissectors/packet-per.c:1925
> #21 0x7f3f7bfb2c4c in dissect_t124_SendDataIndication
> --Type  for more, q to quit, c to continue without paging--
> (tvb=, offset=, actx= out>, tree=, hf_index=) at
> ./asn1/t124/t124.cnf:208
> #22 0x7f3f7b80b394 in dissect_per_choice
> (tvb=tvb@entry=0x5638c1f76f70, offset=6,
> offset@entry=0, actx=actx@entry=0x7ffc1d3a7920,
> tree=tree@entry=0x5638c08ea8b0, hf_index=188090, ett_index=49148,
> choice=0x7f3f7deca660 , value=0x7ffc1d3a791c)
> at ./epan/dissectors/packet-per.c:1768
> #23 0x7f3f7bfb4570 in dissect_t124_DomainMCSPDU
> (offset=0, hf_index=, tree=0x5638c08ea8b0,
> actx=0x7ffc1d3a7920, tvb=0x5638c1f76f70)
> at ./asn1/t124/t124.cnf:195
> #24 dissect_DomainMCSPDU_PDU
> (

Re: [Wireshark-dev] Crash in RDP/EGFX dissector

2023-01-13 Thread Cristian Constantin via Wireshark-dev

Hi Uli,


> > 1. Is this issue known? I tried to look it up on gitlab but I did not
> > find anything relevant. Should I file an issue on gitlab?
>
> Yes, please open a new issue for this using the bug template. Please attach a 
> sample capture to reproduce the bug.

The biggest problem with the capture is that it contains credentials
used to log on to the server and I cannot filter out the EGFX traffic
because wireshark crashes (90% of the time)... Let me see what I can
do.

Thanks,
Cristian
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Crash in RDP/EGFX dissector

2023-01-13 Thread Uli Heilmeier

Hi Christian,

> 1. Is this issue known? I tried to look it up on gitlab but I did not
> find anything relevant. Should I file an issue on gitlab?

Yes, please open a new issue for this using the bug template. Please attach a 
sample capture to reproduce the bug.

> 2. Can the EGFX decoder be turned off? I need the decoder for virtual
> channels though.

Yes. EGFX dissector can be disabled. In the UI: Analyze -> Enabled Protocols -> 
Search for EGFX

Cheers
Uli

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Crash in RDP/EGFX dissector

Re: [Wireshark-dev] Crash in RDP/EGFX dissector

Re: [Wireshark-dev] Crash in RDP/EGFX dissector

3 matches

Site Navigation

Mail list logo

Footer information