[Bug 1953389] [NEW] Remmina segfault when trying to connect using RDP

Mon, 06 Dec 2021 12:01:00 -0800 

Public bug reported:

After the SSL rebuild, Remmina is crashing with a segmentation fault
when trying to connect to a Windows Server 2019 machine using RDP.

I tried removing the sensitive data from this backtrace (#7 has
TERMSRV/XXX.XXX.XXX.XXX), hopefully everything sensitive was removed.

The full backtrace is:

(gdb) bt f
#0  0x00007ffff6d192e8 in EVP_CIPHER_CTX_set_key_length 
(c=c@entry=0x7fffe03310e0, keylen=keylen@entry=16) at 
../crypto/evp/evp_enc.c:979
        __func__ = "EVP_CIPHER_CTX_set_key_length"
#1  0x00007ffff1b2c4a8 in winpr_RC4_New_Internal
    (key=0x7fffe0373998 
"\223\234\376O`\245$\225\223\343\303\370\020\256\225\374\032N\317P\345\207K\320KX\231\307fb\314\307\032N\317P\345\207K\320KX\231\307fb\314",
 <incomplete sequence \307>, keylen=16, override_fips=0) at 
./winpr/libwinpr/crypto/cipher.c:75
        ctx = 0x7fffe03310e0
        evp = 0x7ffff6f7b240 <r4_cipher>
#2  0x00007ffff1b59ddd in ntlm_rc4k
    (length=16, ciphertext=0x7fffe03739c8 "", plaintext=0x7fffe03739a8 
"\032N\317P\345\207K\320KX\231\307fb\314\307\032N\317P\345\207K\320KX\231\307fb\314",
 <incomplete sequence \307>, key=0x7fffe0373998 
"\223\234\376O`\245$\225\223\343\303\370\020\256\225\374\032N\317P\345\207K\320KX\231\307fb\314\307\032N\317P\345\207K\320KX\231\307fb\314",
 <incomplete sequence \307>) at ./winpr/libwinpr/sspi/NTLM/ntlm_compute.c:491
        rc4 = <optimized out>
        status = -2146893052
        s = 0x7fffe03723b0
        length = <optimized out>
        StartOffset = <optimized out>
        PayloadOffset = <optimized out>
        AvTimestamp = <optimized out>
        message = 0x7fffe0373780
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#3  ntlm_encrypt_random_session_key (context=0x7fffe0373600) at 
./winpr/libwinpr/sspi/NTLM/ntlm_compute.c:566
        status = -2146893052
        s = 0x7fffe03723b0
        length = <optimized out>
        StartOffset = <optimized out>
        PayloadOffset = <optimized out>
        AvTimestamp = <optimized out>
        message = 0x7fffe0373780
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#4  ntlm_read_ChallengeMessage (buffer=<optimized out>, context=0x7fffe0373600) 
at ./winpr/libwinpr/sspi/NTLM/ntlm_message.c:513
        status = -2146893052
        s = 0x7fffe03723b0
        length = <optimized out>
        StartOffset = <optimized out>
        PayloadOffset = <optimized out>
        AvTimestamp = <optimized out>
        message = 0x7fffe0373780
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#5  ntlm_InitializeSecurityContextW
    (phCredential=phCredential@entry=0x7fffe0372e70, 
phContext=phContext@entry=0x7fffe0374230, pszTargetName=<optimized out>, 
fContextReq=fContextReq@entry=50, Reserved1=Reserved1@entry=0, 
TargetDataRep=TargetDataRep--Type <RET> for more, q to quit, c to continue 
without paging--c
@entry=16, pInput=<optimized out>, Reserved2=<optimized out>, 
phNewContext=<optimized out>, pOutput=<optimized out>, pfContextAttr=<optimized 
out>, ptsExpiry=<optimized out>) at ./winpr/libwinpr/sspi/NTLM/ntlm.c:590
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#6  0x00007ffff1b5ac25 in ntlm_InitializeSecurityContextA 
(phCredential=0x7fffe0372e70, phContext=0x7fffe0374230, 
pszTargetName=<optimized out>, fContextReq=50, Reserved1=0, TargetDataRep=16, 
pInput=0x7fffe0372eb0, Reserved2=0, phNewContext=0x7fffe0374230, 
pOutput=0x7fffe0372ec0, pfContextAttr=0x7fffe0372e58, ptsExpiry=0x7fffe0372e80) 
at ./winpr/libwinpr/sspi/NTLM/ntlm.c:633
        status = <optimized out>
        pszTargetNameW = 0x7fffe0373cc0
#7  0x00007ffff1b6543f in winpr_InitializeSecurityContextA 
(phCredential=0x7fffe0372e70, phContext=0x7fffe0372e08, 
pszTargetName=0x7fffe0385fd0 "TERMSRV/XXX.XXX.XXX.XXX", fContextReq=50, 
Reserved1=0, TargetDataRep=16, pInput=0x7fffe0372eb0, Reserved2=0, 
phNewContext=0x7fffe0372e08, pOutput=0x7fffe0372ec0, 
pfContextAttr=0x7fffe0372e58, ptsExpiry=0x7fffe0372e80) at 
./winpr/libwinpr/sspi/sspi_winpr.c:1284
        Name = 0x7ffff1b9e684 "Negotiate"
        status = <optimized out>
        table = 0x7ffff1bd72c0 <NEGOTIATE_SecurityFunctionTableA>
        _log_cached_ptr = 0x0
        __FUNCTION__ = "winpr_InitializeSecurityContextA"
        _log_cached_ptr = 0x0
#8  0x00007ffff1d0301c in nla_client_recv (nla=0x7fffe0372df0) at 
./libfreerdp/core/nla.c:557
        status = -1
        _log_cached_ptr = 0x0
        __FUNCTION__ = "nla_recv_pdu"
#9  nla_recv_pdu (nla=0x7fffe0372df0, s=<optimized out>) at 
./libfreerdp/core/nla.c:2192
        _log_cached_ptr = 0x0
        __FUNCTION__ = "nla_recv_pdu"
#10 0x00007ffff1d3be99 in rdp_recv_callback (transport=<optimized out>, 
s=0x555555bad760, extra=0x555555e68000) at ./libfreerdp/core/rdp.c:1515
        status = 0
        rdp = 0x555555e68000
        _log_cached_ptr = 0x0
        __FUNCTION__ = "rdp_recv_callback"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#11 0x00007ffff1d37bbc in transport_check_fds (transport=0x555555b85510) at 
./libfreerdp/core/transport.c:1062
        status = 221
        recv_status = <optimized out>
        received = 0x555555bad760
        now = <optimized out>
        dueDate = 145082998
        status = <optimized out>
        transport = 0x555555b85510
        _log_cached_ptr = 0x0
        __FUNCTION__ = "rdp_check_fds"
        _log_cached_ptr = 0x0
#12 rdp_check_fds (rdp=0x555555e68000) at ./libfreerdp/core/rdp.c:1722
        status = <optimized out>
        transport = 0x555555b85510
        _log_cached_ptr = 0x0
        __FUNCTION__ = "rdp_check_fds"
        _log_cached_ptr = 0x0
#13 0x00007ffff1d3054d in rdp_client_connect (rdp=0x555555e68000) at 
./libfreerdp/core/connection.c:367
        SelectedProtocol = <optimized out>
        status = <optimized out>
        settings = 0x555555ea9ee0
        flags = <optimized out>
        timeout = 200
        __FUNCTION__ = "rdp_client_connect"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#14 0x00007ffff1d1e492 in freerdp_connect (instance=0x555555bfb3f0) at 
./libfreerdp/core/freerdp.c:197
        status = <optimized out>
        e = {e = {Size = 4135161392, Sender = 0x0}, result = 327824}
        status2 = 0
        rdp = 0x555555e68000
        settings = 0x555555ea9ee0
        __FUNCTION__ = "freerdp_connect"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#15 freerdp_connect (instance=0x555555bfb3f0) at ./libfreerdp/core/freerdp.c:153
        __FUNCTION__ = "freerdp_connect"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#16 0x00007ffff678d739 in remmina_rdp_main (gp=0x555555ae4a70) at 
./plugins/rdp/rdp_plugin.c:2053
        value = <optimized out>
        rfi = <optimized out>
        w = <optimized out>
        proxy_password = <optimized out>
        root = <optimized out>
        gateway_host = 0x7fffe0002900 "\340B"
        datapath = <optimized out>
        desktopScaleFactor = 0
        h = <optimized out>
        s = <optimized out>
        gateway_port = 32767
        i = <optimized out>
        desktopOrientation = 0
        deviceScaleFactor = 0
        proxy_port = <optimized out>
        verrev = 0
        proxy_username = <optimized out>
        sm = <optimized out>
        cs = <optimized out>
        remminafile = <optimized out>
        channels = 0x555555f59760
        status = <optimized out>
        proxy_hostname = <optimized out>
        proxy_type = <optimized out>
        vermaj = 2
        vermin = 3
        orphaned = <optimized out>
        gp = 0x555555ae4a70
        rfi = 0x555555c8e800
#17 remmina_rdp_main_thread (data=0x555555ae4a70) at 
./plugins/rdp/rdp_plugin.c:2258
        gp = 0x555555ae4a70
        rfi = 0x555555c8e800
#18 0x00007ffff683f927 in start_thread (arg=<optimized out>) at 
pthread_create.c:435
        ret = <optimized out>
        pd = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737152808512, 
-5239994127097218978, 140737488346590, 140737488346591, 0, 140737144418304, 
5239967739048409182, 5239973476643682398}, mask_was_saved = 0}}, priv = {pad = 
{0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#19 0x00007ffff68cf9e4 in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:100

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: remmina 1.4.21+dfsg-1build1
ProcVersionSignature: Ubuntu 5.15.0-13.13-generic 5.15.5
Uname: Linux 5.15.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu74
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: XFCE
Date: Mon Dec  6 16:45:05 2021
InstallationDate: Installed on 2017-06-13 (1636 days ago)
InstallationMedia: Xubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
SourcePackage: remmina
UpgradeStatus: Upgraded to jammy on 2019-12-22 (714 days ago)
modified.conffile..etc.cron.daily.apport: [deleted]

** Affects: remmina (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy package-from-proposed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1953389

Title:
  Remmina segfault when trying to connect using RDP

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/remmina/+bug/1953389/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to