From 83639e9147c7a19ff3be3835c0dd071fbae80b52 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 6 Jun 2016 18:06:23 -0700
Subject: [PATCH] Fix binpac exception in RFB analyzer.

The RFB analyzer's state machine did not foresee that a server could
send two subsequent messages in one packet. This would result in the
error. Patch by Martin van Hensbergen.
---
 src/analyzer/protocol/rfb/rfb-analyzer.pac | 8 ++++++--
 src/analyzer/protocol/rfb/rfb-protocol.pac | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac
index cd24ea0ced..39a792ba89 100644
--- a/src/analyzer/protocol/rfb/rfb-analyzer.pac
+++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac
@@ -150,8 +150,12 @@ refine connection RFB_Conn += {
 			}
 
 		if ( msg->sectype() == 2 )
-			{ //VNC
-			state = AWAITING_SERVER_CHALLENGE;
+			{ // VNC
+			if ( ${msg.possible_challenge}.length() == 16 )
+				// Challenge was already sent with this message
+				state = AWAITING_CLIENT_RESPONSE;
+			else
+				state = AWAITING_SERVER_CHALLENGE;
 			}
 		return true;
 		%}
diff --git a/src/analyzer/protocol/rfb/rfb-protocol.pac b/src/analyzer/protocol/rfb/rfb-protocol.pac
index d80416664b..bfddbeea0e 100644
--- a/src/analyzer/protocol/rfb/rfb-protocol.pac
+++ b/src/analyzer/protocol/rfb/rfb-protocol.pac
@@ -28,6 +28,7 @@ type RFBProtocolVersion (client: bool) = record {
 
 type RFBSecurityTypes = record {
 	sectype: uint32;
+	possible_challenge: bytestring &restofdata;
 } &let {
 	proc: bool = $context.connection.handle_security_types(this);
 	proc2: bool = $context.flow.proc_security_types(this);