* [PATCH BlueZ 0/1] shared/shell: Fix SIGSEGV on invalid input @ 2026-03-19 2:16 Wouter 2026-03-19 2:16 ` [PATCH BlueZ 1/1] " Wouter 0 siblings, 1 reply; 7+ messages in thread From: Wouter @ 2026-03-19 2:16 UTC (permalink / raw) To: linux-bluetooth; +Cc: Wouter In `bluetoothctl` when entering a space followed by a tab the CLI crashes with a segfault. This patch fixes the user input handling. Wouter (1): shared/shell: Fix SIGSEGV on invalid input src/shared/shell.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) -- 2.53.0 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH BlueZ 1/1] shared/shell: Fix SIGSEGV on invalid input 2026-03-19 2:16 [PATCH BlueZ 0/1] shared/shell: Fix SIGSEGV on invalid input Wouter @ 2026-03-19 2:16 ` Wouter 2026-03-19 4:24 ` bluez.test.bot 2026-03-19 11:08 ` [PATCH BlueZ 1/1] " Bastien Nocera 0 siblings, 2 replies; 7+ messages in thread From: Wouter @ 2026-03-19 2:16 UTC (permalink / raw) To: linux-bluetooth; +Cc: Wouter This fixes a crash when handling "<space><tab>" --- src/shared/shell.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/shared/shell.c b/src/shared/shell.c index b061f8001..57bba0977 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -1174,15 +1174,17 @@ static char **shell_completion(const char *text, int start, int end) if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) return NULL; - matches = menu_completion(default_menu.entries, text, - w.we_wordc, w.we_wordv[0]); - if (!matches) { - matches = menu_completion(data.menu->entries, text, - w.we_wordc, - w.we_wordv[0]); - if (!matches) - matches = submenu_completion(text, w.we_wordc, + if (w.we_wordc != 0) { + matches = menu_completion(default_menu.entries, text, + w.we_wordc, w.we_wordv[0]); + if (!matches) { + matches = menu_completion(data.menu->entries, text, + w.we_wordc, w.we_wordv[0]); + if (!matches) + matches = submenu_completion(text, w.we_wordc, + w.we_wordv[0]); + } } wordfree(&w); -- 2.53.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* RE: shared/shell: Fix SIGSEGV on invalid input 2026-03-19 2:16 ` [PATCH BlueZ 1/1] " Wouter @ 2026-03-19 4:24 ` bluez.test.bot 2026-03-19 11:08 ` [PATCH BlueZ 1/1] " Bastien Nocera 1 sibling, 0 replies; 7+ messages in thread From: bluez.test.bot @ 2026-03-19 4:24 UTC (permalink / raw) To: linux-bluetooth, wouter [-- Attachment #1: Type: text/plain, Size: 1671 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1068955 ---Test result--- Test Summary: CheckPatch PENDING 0.30 seconds GitLint PENDING 0.36 seconds BuildEll PASS 21.23 seconds BluezMake PASS 633.50 seconds MakeCheck PASS 18.51 seconds MakeDistcheck PASS 244.32 seconds CheckValgrind PASS 291.23 seconds CheckSmatch WARNING 352.53 seconds bluezmakeextell PASS 181.41 seconds IncrementalBuild PENDING 0.31 seconds ScanBuild PASS 1008.74 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: CheckSmatch - WARNING Desc: Run smatch tool with source Output: src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h): ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: https://github.com/bluez/bluez/pull/1970/checks --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ 1/1] shared/shell: Fix SIGSEGV on invalid input 2026-03-19 2:16 ` [PATCH BlueZ 1/1] " Wouter 2026-03-19 4:24 ` bluez.test.bot @ 2026-03-19 11:08 ` Bastien Nocera 2026-03-19 11:15 ` Bastien Nocera 1 sibling, 1 reply; 7+ messages in thread From: Bastien Nocera @ 2026-03-19 11:08 UTC (permalink / raw) To: Wouter, linux-bluetooth On Thu, 2026-03-19 at 03:16 +0100, Wouter wrote: > This fixes a crash when handling "<space><tab>" That looks good to me, but is there any chance you could add the valgrind output when reproducing this crash? This should show the exact line where the problem is. I would also add an explanation to the commit message like: "Make sure to check w.we_wordc (word count) before accessing w.we_wordv (word array)" Cheers > --- > src/shared/shell.c | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > > diff --git a/src/shared/shell.c b/src/shared/shell.c > index b061f8001..57bba0977 100644 > --- a/src/shared/shell.c > +++ b/src/shared/shell.c > @@ -1174,15 +1174,17 @@ static char **shell_completion(const char > *text, int start, int end) > if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) > return NULL; > > - matches = menu_completion(default_menu.entries, > text, > - w.we_wordc, > w.we_wordv[0]); > - if (!matches) { > - matches = menu_completion(data.menu- > >entries, text, > - w.we_wordc, > - > w.we_wordv[0]); > - if (!matches) > - matches = submenu_completion(text, > w.we_wordc, > + if (w.we_wordc != 0) { > + matches = > menu_completion(default_menu.entries, text, > + w.we_wordc, > w.we_wordv[0]); > + if (!matches) { > + matches = menu_completion(data.menu- > >entries, text, > + w.we > _wordc, > w.we > _wordv[0]); > + if (!matches) > + matches = > submenu_completion(text, w.we_wordc, > + > w.we_wordv[0]); > + } > } > > wordfree(&w); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ 1/1] shared/shell: Fix SIGSEGV on invalid input 2026-03-19 11:08 ` [PATCH BlueZ 1/1] " Bastien Nocera @ 2026-03-19 11:15 ` Bastien Nocera 2026-03-19 14:10 ` Wouter 0 siblings, 1 reply; 7+ messages in thread From: Bastien Nocera @ 2026-03-19 11:15 UTC (permalink / raw) To: Wouter, linux-bluetooth On Thu, 2026-03-19 at 12:08 +0100, Bastien Nocera wrote: > On Thu, 2026-03-19 at 03:16 +0100, Wouter wrote: > > This fixes a crash when handling "<space><tab>" > > That looks good to me, but is there any chance you could add the > valgrind output when reproducing this crash? > > This should show the exact line where the problem is. > > I would also add an explanation to the commit message like: > "Make sure to check w.we_wordc (word count) before accessing > w.we_wordv > (word array)" Actually, looking at the valgrind output: ==1430873== Invalid read of size 1 ==1430873== at 0x484BC77: strcmp (vg_replace_strmem.c:941) ==1430873== by 0x435063: menu_completion (shell.c:1126) ==1430873== by 0x4352F0: shell_completion (shell.c:1177) ==1430873== by 0x4A2542B: gen_completion_matches (complete.c:1282) ==1430873== by 0x4A2E9CD: rl_complete_internal (complete.c:2104) ==1430873== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944) ==1430873== by 0x4A26ADF: readline_internal_char (readline.c:693) ==1430873== by 0x4A46CE4: rl_callback_read_char (callback.c:275) ==1430873== by 0x435E54: bt_shell_input_line (shell.c:309) ==1430873== by 0x436A34: watch_callback (io-glib.c:173) ==1430873== by 0x490A322: g_main_dispatch (gmain.c:3565) ==1430873== by 0x490A322: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425) ==1430873== by 0x4913277: g_main_context_iterate_unlocked.isra.0 (gmain.c:4490) ==1430873== Address 0x0 is not stack'd, malloc'd or (recently) free'd I think that a check in src/shared/shell.c might be better (and would avoid having to fix the bug in 6 other places). Something like this? --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -1122,6 +1122,9 @@ static char **menu_completion(const struct bt_shell_menu_entry *entry, { char **matches = NULL; + if (argc == 0) + return NULL; + for (; entry->cmd; entry++) { if (strcmp(entry->cmd, input_cmd)) continue; @@ -1146,6 +1149,8 @@ static char **submenu_completion(const char *text, int argc, char *input_cmd) if (data.main != data.menu) return NULL; + if (!input_cmd) + return NULL; cmd = strrchr(input_cmd, '.'); if (!cmd) Let me know if you want to send a v2 with the mentioned changes instead. > > Cheers > > > --- > > src/shared/shell.c | 18 ++++++++++-------- > > 1 file changed, 10 insertions(+), 8 deletions(-) > > > > diff --git a/src/shared/shell.c b/src/shared/shell.c > > index b061f8001..57bba0977 100644 > > --- a/src/shared/shell.c > > +++ b/src/shared/shell.c > > @@ -1174,15 +1174,17 @@ static char **shell_completion(const char > > *text, int start, int end) > > if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) > > return NULL; > > > > - matches = menu_completion(default_menu.entries, > > text, > > - w.we_wordc, > > w.we_wordv[0]); > > - if (!matches) { > > - matches = menu_completion(data.menu- > > > entries, text, > > - > > w.we_wordc, > > - > > w.we_wordv > > [0]); > > - if (!matches) > > - matches = submenu_completion(text, > > w.we_wordc, > > + if (w.we_wordc != 0) { > > + matches = > > menu_completion(default_menu.entries, text, > > + w.we_wordc > > , > > w.we_wordv[0]); > > + if (!matches) { > > + matches = > > menu_completion(data.menu- > > > entries, text, > > + w. > > we > > _wordc, > > w. > > we > > _wordv[0]); > > + if (!matches) > > + matches = > > submenu_completion(text, w.we_wordc, > > + > > w.we_wordv[0]); > > + } > > } > > > > wordfree(&w); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ 1/1] shared/shell: Fix SIGSEGV on invalid input 2026-03-19 11:15 ` Bastien Nocera @ 2026-03-19 14:10 ` Wouter 0 siblings, 0 replies; 7+ messages in thread From: Wouter @ 2026-03-19 14:10 UTC (permalink / raw) To: Bastien Nocera, linux-bluetooth I'll send in a v2. I had shell_completion changed instead as it's the sole caller of those methods, and would mean it bails early rather than further down the callstack. Your suggestions are cleaner though, so i'll adjust and re-submit. - Wouter On Thu, 2026-03-19 at 12:15 +0100, Bastien Nocera wrote: > On Thu, 2026-03-19 at 12:08 +0100, Bastien Nocera wrote: > > On Thu, 2026-03-19 at 03:16 +0100, Wouter wrote: > > > This fixes a crash when handling "<space><tab>" > > > > That looks good to me, but is there any chance you could add the > > valgrind output when reproducing this crash? > > > > This should show the exact line where the problem is. > > > > I would also add an explanation to the commit message like: > > "Make sure to check w.we_wordc (word count) before accessing > > w.we_wordv > > (word array)" > > Actually, looking at the valgrind output: > ==1430873== Invalid read of size 1 > ==1430873== at 0x484BC77: strcmp (vg_replace_strmem.c:941) > ==1430873== by 0x435063: menu_completion (shell.c:1126) > ==1430873== by 0x4352F0: shell_completion (shell.c:1177) > ==1430873== by 0x4A2542B: gen_completion_matches (complete.c:1282) > ==1430873== by 0x4A2E9CD: rl_complete_internal (complete.c:2104) > ==1430873== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944) > ==1430873== by 0x4A26ADF: readline_internal_char (readline.c:693) > ==1430873== by 0x4A46CE4: rl_callback_read_char (callback.c:275) > ==1430873== by 0x435E54: bt_shell_input_line (shell.c:309) > ==1430873== by 0x436A34: watch_callback (io-glib.c:173) > ==1430873== by 0x490A322: g_main_dispatch (gmain.c:3565) > ==1430873== by 0x490A322: > g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425) > ==1430873== by 0x4913277: g_main_context_iterate_unlocked.isra.0 > (gmain.c:4490) > ==1430873== Address 0x0 is not stack'd, malloc'd or (recently) > free'd > > I think that a check in src/shared/shell.c might be better (and would > avoid having to fix the bug in 6 other places). Something like this? > > --- a/src/shared/shell.c > +++ b/src/shared/shell.c > @@ -1122,6 +1122,9 @@ static char **menu_completion(const struct > bt_shell_menu_entry *entry, > { > char **matches = NULL; > > + if (argc == 0) > + return NULL; > + > for (; entry->cmd; entry++) { > if (strcmp(entry->cmd, input_cmd)) > continue; > @@ -1146,6 +1149,8 @@ static char **submenu_completion(const char > *text, int argc, char *input_cmd) > > if (data.main != data.menu) > return NULL; > + if (!input_cmd) > + return NULL; > > cmd = strrchr(input_cmd, '.'); > if (!cmd) > > Let me know if you want to send a v2 with the mentioned changes > instead. > > > > > Cheers > > > > > --- > > > src/shared/shell.c | 18 ++++++++++-------- > > > 1 file changed, 10 insertions(+), 8 deletions(-) > > > > > > diff --git a/src/shared/shell.c b/src/shared/shell.c > > > index b061f8001..57bba0977 100644 > > > --- a/src/shared/shell.c > > > +++ b/src/shared/shell.c > > > @@ -1174,15 +1174,17 @@ static char **shell_completion(const char > > > *text, int start, int end) > > > if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) > > > return NULL; > > > > > > - matches = menu_completion(default_menu.entries, > > > text, > > > - w.we_wordc, > > > w.we_wordv[0]); > > > - if (!matches) { > > > - matches = menu_completion(data.menu- > > > > entries, text, > > > - > > > w.we_wordc, > > > - > > > w.we_wordv > > > [0]); > > > - if (!matches) > > > - matches = submenu_completion(text, > > > w.we_wordc, > > > + if (w.we_wordc != 0) { > > > + matches = > > > menu_completion(default_menu.entries, text, > > > + w.we_wordc > > > , > > > w.we_wordv[0]); > > > + if (!matches) { > > > + matches = > > > menu_completion(data.menu- > > > > entries, text, > > > + w. > > > we > > > _wordc, > > > w. > > > we > > > _wordv[0]); > > > + if (!matches) > > > + matches = > > > submenu_completion(text, w.we_wordc, > > > + > > > w.we_wordv[0]); > > > + } > > > } > > > > > > wordfree(&w); ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH BlueZ v2 1/1] shared/shell: Fix SIGSEGV on invalid input @ 2026-03-19 14:14 Wouter 2026-03-19 15:54 ` bluez.test.bot 0 siblings, 1 reply; 7+ messages in thread From: Wouter @ 2026-03-19 14:14 UTC (permalink / raw) To: linux-bluetooth; +Cc: Wouter This fixes a crash when handling "<space><tab>" ==3760495== Invalid read of size 1 ==3760495== at 0x4902187: strcmp (vg_replace_strmem.c:941) ==3760495== by 0x4067408: menu_completion (shell.c:1126) ==3760495== by 0x40675DE: shell_completion (shell.c:1177) ==3760495== by 0x4B267AB: gen_completion_matches (complete.c:1282) ==3760495== by 0x4B2F8C1: rl_complete_internal (complete.c:2104) ==3760495== by 0x4B26B52: _rl_dispatch_subseq (readline.c:941) ==3760495== by 0x4B27B71: readline_internal_char (readline.c:690) ==3760495== by 0x4B48695: rl_callback_read_char (callback.c:275) ==3760495== by 0x40655F2: bt_shell_input_line (shell.c:309) ==3760495== by 0x406577E: input_read (shell.c:343) ==3760495== by 0x4068CB4: watch_callback (io-glib.c:173) ==3760495== by 0x49C1F4C: g_main_dispatch (gmain.c:3565) ==3760495== Address 0x0 is not stack'd, malloc'd or (recently) free'd --- src/shared/shell.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/shared/shell.c b/src/shared/shell.c index b061f8001..87a8a310d 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -1122,6 +1122,9 @@ static char **menu_completion(const struct bt_shell_menu_entry *entry, { char **matches = NULL; + if (argc == 0) + return NULL; + for (; entry->cmd; entry++) { if (strcmp(entry->cmd, input_cmd)) continue; @@ -1147,6 +1150,9 @@ static char **submenu_completion(const char *text, int argc, char *input_cmd) if (data.main != data.menu) return NULL; + if (!input_cmd) + return NULL; + cmd = strrchr(input_cmd, '.'); if (!cmd) return NULL; -- 2.53.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* RE: shared/shell: Fix SIGSEGV on invalid input 2026-03-19 14:14 [PATCH BlueZ v2 " Wouter @ 2026-03-19 15:54 ` bluez.test.bot 0 siblings, 0 replies; 7+ messages in thread From: bluez.test.bot @ 2026-03-19 15:54 UTC (permalink / raw) To: linux-bluetooth, wouter [-- Attachment #1: Type: text/plain, Size: 1671 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1069318 ---Test result--- Test Summary: CheckPatch PENDING 0.44 seconds GitLint PENDING 0.42 seconds BuildEll PASS 21.16 seconds BluezMake PASS 643.79 seconds MakeCheck PASS 18.66 seconds MakeDistcheck PASS 250.30 seconds CheckValgrind PASS 294.96 seconds CheckSmatch WARNING 354.79 seconds bluezmakeextell PASS 183.27 seconds IncrementalBuild PENDING 0.33 seconds ScanBuild PASS 1032.91 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: CheckSmatch - WARNING Desc: Run smatch tool with source Output: src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h): ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: https://github.com/bluez/bluez/pull/1975/checks --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-03-19 15:54 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-19 2:16 [PATCH BlueZ 0/1] shared/shell: Fix SIGSEGV on invalid input Wouter 2026-03-19 2:16 ` [PATCH BlueZ 1/1] " Wouter 2026-03-19 4:24 ` bluez.test.bot 2026-03-19 11:08 ` [PATCH BlueZ 1/1] " Bastien Nocera 2026-03-19 11:15 ` Bastien Nocera 2026-03-19 14:10 ` Wouter -- strict thread matches above, loose matches on Subject: below -- 2026-03-19 14:14 [PATCH BlueZ v2 " Wouter 2026-03-19 15:54 ` bluez.test.bot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox