openssh bugs - May 2013 - [Bug 1990] sftp segfaults when tab-completing a directory which contains umlauts

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

Corentin Delcourt <codl at codl.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |codl at codl.fr

--- Comment #8 from Corentin Delcourt <codl at codl.fr> ---
Note that Arch Linux's version of libedit has wide character support
enabled [0].

[0]:
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libedit#n20

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

--- Comment #9 from Darren Tucker <dtucker at zip.com.au> ---
I've been able to reproduce the crash with libedit built with wide
character support.  Backtrace looks like the following when openssh and
libedit are built with full debugging symbols.  Looks like libedit is
calling strlen on a null string:

$ gdb -q ./sftp
Reading symbols from /home/dtucker/openssh-6.1p1/sftp...done.
(gdb) set args localhost
(gdb) run
Starting program: /home/dtucker/openssh-6.1p1/sftp localhost
warning: no loadable sections found in added symbol-file
system-supplied DSO at 0x7ffff7ffa000
Connected to gate.
sftp> cd /tmp/t
#0  0x00007ffff786da10 in wcslen () from
/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff7ba09c0 in el_winsertstr (el=0x623280, s=0x0) at
chared.c:615
#2  0x00007ffff7bc1cbe in el_insertstr (el=0x623280, 
    str=0x7fffffffd9f1 <incomplete sequence \303>) at eln.c:370
#3  0x00000000004083d2 in complete_match (el=0x623280, conn=0x6230c0, 
    remote_path=0x62e670 "/tmp/t", file=0x61e783 <argvs.11342+3>
"t",
    remote=1, lastarg=1, quote=0 '\000', terminated=1) at sftp.c:1773
#4  0x000000000040880a in complete (el=0x623280, ch=9) at sftp.c:1852
#5  0x00007ffff7ba96f0 in el_wgets (el=0x623280, nread=0x7fffffffdb34)
    at read.c:622
#6  0x00007ffff7bc09e5 in el_gets (el=0x623280, nread=0x7fffffffdb34)
    at eln.c:80
#7  0x0000000000408ded in interactive_loop (conn=0x6230c0, file1=0x0, 
    file2=0x0) at sftp.c:1965
#8  0x0000000000409a49 in main (argc=2, argv=0x7fffffffe568) at
sftp.c:2269
(gdb) print s
$1 = 0x0
(gdb) frame 2
#2  0x00007ffff7bc1cbe in el_insertstr (el=0x623280, 
    str=0x7fffffffd9f1 <incomplete sequence \303>) at eln.c:370
370        return el_winsertstr(el, ct_decode_string(str,
&el->el_lgcyconv));
(gdb) list
365    
366    
367    int
368    el_insertstr(EditLine *el, const char *str)
369    {
370        return el_winsertstr(el, ct_decode_string(str,
&el->el_lgcyconv));
371    }
(gdb) print str
$2 = 0x7fffffffd9f1 <incomplete sequence \303>

I don't know what's at fault, though.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

--- Comment #10 from Darren Tucker <dtucker at zip.com.au> ---
Looks like the segfault is a (fixed) bug in libedit:

https://bugzilla.redhat.com/show_bug.cgi?id=840598

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libedit/chared.c.diff?r1=1.36&r2=1.37

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

--- Comment #11 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2285
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2285&action=edit
make sftp just utf-8 aware enough to not crash libedit

Please try this patch, which should stop sftp from sending incomplete
utf8 characters to libedit.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2285|0                           |1
        is obsolete|                            |

--- Comment #12 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2286
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2286&action=edit
make sftp just utf-8 aware enough to not crash libedit

slightly better patch that checks for errors in mblen

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

--- Comment #13 from Guillaume ALAUX <guillaume at alaux.net> ---
Your patch works here with:

Arch Linux x86_64
OpenSSH 6.2p2
Libedit 20120601

No more segfault.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2286|0                           |1
        is obsolete|                            |

--- Comment #14 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2289
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2289&action=edit
make sftp just utf-8 aware enough to not crash libedit

add a check for excessively long characters (shouldn't happen, but ...)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2289|0                           |1
        is obsolete|                            |

--- Comment #15 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2291
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2291&action=edit
make sftp just utf-8 aware enough to not crash libedit

oops, now with actual patch

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

--- Comment #16 from Guillaume ALAUX <guillaume at alaux.net> ---
I confirm patch 2291 prevents segfault for the specified case also with
newest libedit:

Openssh 6.2p2 + patch "2291"
libedit 20130601_3.1

Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2076

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1990

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #17 from Darren Tucker <dtucker at zip.com.au> ---
thanks.  patch #2291 applied with a small change to prevent signed vs
unsigned warnings.  it'll be in the 6.3 release.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.