Ubuntu
remmina package

Remmina segfault when trying to connect using RDP

Bug #1953389 reported by Leonardo Müller
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
remmina (Ubuntu)
New
Undecided
Unassigned

Bug Description

After the SSL rebuild, Remmina is crashing with a segmentation fault when trying to connect to a Windows Server 2019 machine using RDP.

I tried removing the sensitive data from this backtrace (#7 has TERMSRV/XXX.XXX.XXX.XXX), hopefully everything sensitive was removed.

The full backtrace is:

(gdb) bt f
#0 0x00007ffff6d192e8 in EVP_CIPHER_CTX_set_key_length (c=c@entry=0x7fffe03310e0, keylen=keylen@entry=16) at ../crypto/evp/evp_enc.c:979
        __func__ = "EVP_CIPHER_CTX_set_key_length"
#1 0x00007ffff1b2c4a8 in winpr_RC4_New_Internal
    (key=0x7fffe0373998 "\223\234\376O`\245$\225\223\343\303\370\020\256\225\374\032N\317P\345\207K\320KX\231\307fb\314\307\032N\317P\345\207K\320KX\231\307fb\314", <incomplete sequence \307>, keylen=16, override_fips=0) at ./winpr/libwinpr/crypto/cipher.c:75
        ctx = 0x7fffe03310e0
        evp = 0x7ffff6f7b240 <r4_cipher>
#2 0x00007ffff1b59ddd in ntlm_rc4k
    (length=16, ciphertext=0x7fffe03739c8 "", plaintext=0x7fffe03739a8 "\032N\317P\345\207K\320KX\231\307fb\314\307\032N\317P\345\207K\320KX\231\307fb\314", <incomplete sequence \307>, key=0x7fffe0373998 "\223\234\376O`\245$\225\223\343\303\370\020\256\225\374\032N\317P\345\207K\320KX\231\307fb\314\307\032N\317P\345\207K\320KX\231\307fb\314", <incomplete sequence \307>) at ./winpr/libwinpr/sspi/NTLM/ntlm_compute.c:491
        rc4 = <optimized out>
        status = -2146893052
        s = 0x7fffe03723b0
        length = <optimized out>
        StartOffset = <optimized out>
        PayloadOffset = <optimized out>
        AvTimestamp = <optimized out>
        message = 0x7fffe0373780
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#3 ntlm_encrypt_random_session_key (context=0x7fffe0373600) at ./winpr/libwinpr/sspi/NTLM/ntlm_compute.c:566
        status = -2146893052
        s = 0x7fffe03723b0
        length = <optimized out>
        StartOffset = <optimized out>
        PayloadOffset = <optimized out>
        AvTimestamp = <optimized out>
        message = 0x7fffe0373780
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#4 ntlm_read_ChallengeMessage (buffer=<optimized out>, context=0x7fffe0373600) at ./winpr/libwinpr/sspi/NTLM/ntlm_message.c:513
        status = -2146893052
        s = 0x7fffe03723b0
        length = <optimized out>
        StartOffset = <optimized out>
        PayloadOffset = <optimized out>
        AvTimestamp = <optimized out>
        message = 0x7fffe0373780
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#5 ntlm_InitializeSecurityContextW
    (phCredential=phCredential@entry=0x7fffe0372e70, phContext=phContext@entry=0x7fffe0374230, pszTargetName=<optimized out>, fContextReq=fContextReq@entry=50, Reserved1=Reserved1@entry=0, TargetDataRep=TargetDataRep--Type <RET> for more, q to quit, c to continue without paging--c
@entry=16, pInput=<optimized out>, Reserved2=<optimized out>, phNewContext=<optimized out>, pOutput=<optimized out>, pfContextAttr=<optimized out>, ptsExpiry=<optimized out>) at ./winpr/libwinpr/sspi/NTLM/ntlm.c:590
        context = 0x7fffe0373600
        credentials = <optimized out>
        input_buffer = <optimized out>
        output_buffer = 0x0
        channel_bindings = <optimized out>
#6 0x00007ffff1b5ac25 in ntlm_InitializeSecurityContextA (phCredential=0x7fffe0372e70, phContext=0x7fffe0374230, pszTargetName=<optimized out>, fContextReq=50, Reserved1=0, TargetDataRep=16, pInput=0x7fffe0372eb0, Reserved2=0, phNewContext=0x7fffe0374230, pOutput=0x7fffe0372ec0, pfContextAttr=0x7fffe0372e58, ptsExpiry=0x7fffe0372e80) at ./winpr/libwinpr/sspi/NTLM/ntlm.c:633
        status = <optimized out>
        pszTargetNameW = 0x7fffe0373cc0
#7 0x00007ffff1b6543f in winpr_InitializeSecurityContextA (phCredential=0x7fffe0372e70, phContext=0x7fffe0372e08, pszTargetName=0x7fffe0385fd0 "TERMSRV/XXX.XXX.XXX.XXX", fContextReq=50, Reserved1=0, TargetDataRep=16, pInput=0x7fffe0372eb0, Reserved2=0, phNewContext=0x7fffe0372e08, pOutput=0x7fffe0372ec0, pfContextAttr=0x7fffe0372e58, ptsExpiry=0x7fffe0372e80) at ./winpr/libwinpr/sspi/sspi_winpr.c:1284
        Name = 0x7ffff1b9e684 "Negotiate"
        status = <optimized out>
        table = 0x7ffff1bd72c0 <NEGOTIATE_SecurityFunctionTableA>
        _log_cached_ptr = 0x0
        __FUNCTION__ = "winpr_InitializeSecurityContextA"
        _log_cached_ptr = 0x0
#8 0x00007ffff1d0301c in nla_client_recv (nla=0x7fffe0372df0) at ./libfreerdp/core/nla.c:557
        status = -1
        _log_cached_ptr = 0x0
        __FUNCTION__ = "nla_recv_pdu"
#9 nla_recv_pdu (nla=0x7fffe0372df0, s=<optimized out>) at ./libfreerdp/core/nla.c:2192
        _log_cached_ptr = 0x0
        __FUNCTION__ = "nla_recv_pdu"
#10 0x00007ffff1d3be99 in rdp_recv_callback (transport=<optimized out>, s=0x555555bad760, extra=0x555555e68000) at ./libfreerdp/core/rdp.c:1515
        status = 0
        rdp = 0x555555e68000
        _log_cached_ptr = 0x0
        __FUNCTION__ = "rdp_recv_callback"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#11 0x00007ffff1d37bbc in transport_check_fds (transport=0x555555b85510) at ./libfreerdp/core/transport.c:1062
        status = 221
        recv_status = <optimized out>
        received = 0x555555bad760
        now = <optimized out>
        dueDate = 145082998
        status = <optimized out>
        transport = 0x555555b85510
        _log_cached_ptr = 0x0
        __FUNCTION__ = "rdp_check_fds"
        _log_cached_ptr = 0x0
#12 rdp_check_fds (rdp=0x555555e68000) at ./libfreerdp/core/rdp.c:1722
        status = <optimized out>
        transport = 0x555555b85510
        _log_cached_ptr = 0x0
        __FUNCTION__ = "rdp_check_fds"
        _log_cached_ptr = 0x0
#13 0x00007ffff1d3054d in rdp_client_connect (rdp=0x555555e68000) at ./libfreerdp/core/connection.c:367
        SelectedProtocol = <optimized out>
        status = <optimized out>
        settings = 0x555555ea9ee0
        flags = <optimized out>
        timeout = 200
        __FUNCTION__ = "rdp_client_connect"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#14 0x00007ffff1d1e492 in freerdp_connect (instance=0x555555bfb3f0) at ./libfreerdp/core/freerdp.c:197
        status = <optimized out>
        e = {e = {Size = 4135161392, Sender = 0x0}, result = 327824}
        status2 = 0
        rdp = 0x555555e68000
        settings = 0x555555ea9ee0
        __FUNCTION__ = "freerdp_connect"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#15 freerdp_connect (instance=0x555555bfb3f0) at ./libfreerdp/core/freerdp.c:153
        __FUNCTION__ = "freerdp_connect"
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
        _log_cached_ptr = 0x0
#16 0x00007ffff678d739 in remmina_rdp_main (gp=0x555555ae4a70) at ./plugins/rdp/rdp_plugin.c:2053
        value = <optimized out>
        rfi = <optimized out>
        w = <optimized out>
        proxy_password = <optimized out>
        root = <optimized out>
        gateway_host = 0x7fffe0002900 "\340B"
        datapath = <optimized out>
        desktopScaleFactor = 0
        h = <optimized out>
        s = <optimized out>
        gateway_port = 32767
        i = <optimized out>
        desktopOrientation = 0
        deviceScaleFactor = 0
        proxy_port = <optimized out>
        verrev = 0
        proxy_username = <optimized out>
        sm = <optimized out>
        cs = <optimized out>
        remminafile = <optimized out>
        channels = 0x555555f59760
        status = <optimized out>
        proxy_hostname = <optimized out>
        proxy_type = <optimized out>
        vermaj = 2
        vermin = 3
        orphaned = <optimized out>
        gp = 0x555555ae4a70
        rfi = 0x555555c8e800
#17 remmina_rdp_main_thread (data=0x555555ae4a70) at ./plugins/rdp/rdp_plugin.c:2258
        gp = 0x555555ae4a70
        rfi = 0x555555c8e800
#18 0x00007ffff683f927 in start_thread (arg=<optimized out>) at pthread_create.c:435
        ret = <optimized out>
        pd = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737152808512, -5239994127097218978, 140737488346590, 140737488346591, 0, 140737144418304, 5239967739048409182, 5239973476643682398}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#19 0x00007ffff68cf9e4 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: remmina 1.4.21+dfsg-1build1
ProcVersionSignature: Ubuntu 5.15.0-13.13-generic 5.15.5
Uname: Linux 5.15.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu74
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: XFCE
Date: Mon Dec 6 16:45:05 2021
InstallationDate: Installed on 2017-06-13 (1636 days ago)
InstallationMedia: Xubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
SourcePackage: remmina
UpgradeStatus: Upgraded to jammy on 2019-12-22 (714 days ago)
modified.conffile..etc.cron.daily.apport: [deleted]

Revision history for this message
Leonardo Müller (leozinho29-eu) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.