[Bug 1990] sftp segfaults when tab-completing a directory which contains umlauts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Jun 1 11:11:50 EST 2013 

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

--- Comment #9 from Darren Tucker <dtucker at zip.com.au> ---
I've been able to reproduce the crash with libedit built with wide
character support.  Backtrace looks like the following when openssh and
libedit are built with full debugging symbols.  Looks like libedit is
calling strlen on a null string:

$ gdb -q ./sftp
Reading symbols from /home/dtucker/openssh-6.1p1/sftp...done.
(gdb) set args localhost
(gdb) run
Starting program: /home/dtucker/openssh-6.1p1/sftp localhost
warning: no loadable sections found in added symbol-file
system-supplied DSO at 0x7ffff7ffa000
Connected to gate.
sftp> cd /tmp/t
#0  0x00007ffff786da10 in wcslen () from
/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff7ba09c0 in el_winsertstr (el=0x623280, s=0x0) at
chared.c:615
#2  0x00007ffff7bc1cbe in el_insertstr (el=0x623280, 
    str=0x7fffffffd9f1 <incomplete sequence \303>) at eln.c:370
#3  0x00000000004083d2 in complete_match (el=0x623280, conn=0x6230c0, 
    remote_path=0x62e670 "/tmp/t", file=0x61e783 <argvs.11342+3> "t", 
    remote=1, lastarg=1, quote=0 '\000', terminated=1) at sftp.c:1773
#4  0x000000000040880a in complete (el=0x623280, ch=9) at sftp.c:1852
#5  0x00007ffff7ba96f0 in el_wgets (el=0x623280, nread=0x7fffffffdb34)
    at read.c:622
#6  0x00007ffff7bc09e5 in el_gets (el=0x623280, nread=0x7fffffffdb34)
    at eln.c:80
#7  0x0000000000408ded in interactive_loop (conn=0x6230c0, file1=0x0, 
    file2=0x0) at sftp.c:1965
#8  0x0000000000409a49 in main (argc=2, argv=0x7fffffffe568) at
sftp.c:2269
(gdb) print s
$1 = 0x0
(gdb) frame 2
#2  0x00007ffff7bc1cbe in el_insertstr (el=0x623280, 
    str=0x7fffffffd9f1 <incomplete sequence \303>) at eln.c:370
370        return el_winsertstr(el, ct_decode_string(str,
&el->el_lgcyconv));
(gdb) list
365    
366    
367    int
368    el_insertstr(EditLine *el, const char *str)
369    {
370        return el_winsertstr(el, ct_decode_string(str,
&el->el_lgcyconv));
371    }
(gdb) print str
$2 = 0x7fffffffd9f1 <incomplete sequence \303>

I don't know what's at fault, though.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list