* [PATCH BlueZ 0/1] shared/shell: Fix crash on bluetoothctl command completion
@ 2026-03-19 13:25 Bastien Nocera
2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera
0 siblings, 1 reply; 4+ messages in thread
From: Bastien Nocera @ 2026-03-19 13:25 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Wouter
Based on report by Wouter <wouter@xesxen.nl>
Test case at:
https://github.com/hadess/bluez/blob/wip/hadess/add-meson-ell-wrap/unit/integration-test.py#L258
Bastien Nocera (1):
shared/shell: Fix crash on bluetoothctl command completion
src/shared/shell.c | 5 +++++
1 file changed, 5 insertions(+)
--
2.53.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH BlueZ 1/1] shared/shell: Fix crash on bluetoothctl command completion
2026-03-19 13:25 [PATCH BlueZ 0/1] shared/shell: Fix crash on bluetoothctl command completion Bastien Nocera
@ 2026-03-19 13:25 ` Bastien Nocera
2026-03-19 13:30 ` Bastien Nocera
2026-03-19 15:02 ` bluez.test.bot
0 siblings, 2 replies; 4+ messages in thread
From: Bastien Nocera @ 2026-03-19 13:25 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Wouter
Don't try to complete empty commands, leading to invalid reads and
crashes.
==1430873== Invalid read of size 1
==1430873== at 0x484BC77: strcmp (vg_replace_strmem.c:941)
==1430873== by 0x435063: menu_completion (shell.c:1126)
==1430873== by 0x4352F0: shell_completion (shell.c:1177)
==1430873== by 0x4A2542B: gen_completion_matches (complete.c:1282)
==1430873== by 0x4A2E9CD: rl_complete_internal (complete.c:2104)
==1430873== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944)
==1430873== by 0x4A26ADF: readline_internal_char (readline.c:693)
==1430873== by 0x4A46CE4: rl_callback_read_char (callback.c:275)
==1430873== by 0x435E54: bt_shell_input_line (shell.c:309)
==1430873== by 0x436A34: watch_callback (io-glib.c:173)
==1430873== by 0x490A322: g_main_dispatch (gmain.c:3565)
==1430873== by 0x490A322: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425)
==1430873== by 0x4913277: g_main_context_iterate_unlocked.isra.0 (gmain.c:4490)
==1430873== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1516885== at 0x484A126: rindex (vg_replace_strmem.c:216)
==1516885== by 0x4353AA: submenu_completion (shell.c:1153)
==1516885== by 0x4353AA: shell_completion (shell.c:1187)
==1516885== by 0x4A2542B: gen_completion_matches (complete.c:1282)
==1516885== by 0x4A2E9CD: rl_complete_internal (complete.c:2104)
==1516885== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944)
==1516885== by 0x4A26ADF: readline_internal_char (readline.c:693)
==1516885== by 0x4A46CE4: rl_callback_read_char (callback.c:275)
==1516885== by 0x435E94: bt_shell_input_line (shell.c:309)
==1516885== by 0x436A74: watch_callback (io-glib.c:173)
==1516885== by 0x490A322: g_main_dispatch (gmain.c:3565)
==1516885== by 0x490A322: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425)
==1516885== by 0x4913277: g_main_context_iterate_unlocked.isra.0 (gmain.c:4490)
==1516885== by 0x491351E: g_main_loop_run (gmain.c:4695)
==1516885== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Reported-by: Wouter <wouter@xesxen.nl>
---
src/shared/shell.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/shared/shell.c b/src/shared/shell.c
index b061f8001414..805f4b77016b 100644
--- a/src/shared/shell.c
+++ b/src/shared/shell.c
@@ -1122,6 +1122,9 @@ static char **menu_completion(const struct bt_shell_menu_entry *entry,
{
char **matches = NULL;
+ if (argc == 0)
+ return NULL;
+
for (; entry->cmd; entry++) {
if (strcmp(entry->cmd, input_cmd))
continue;
@@ -1146,6 +1149,8 @@ static char **submenu_completion(const char *text, int argc, char *input_cmd)
if (data.main != data.menu)
return NULL;
+ if (!input_cmd)
+ return NULL;
cmd = strrchr(input_cmd, '.');
if (!cmd)
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH BlueZ 1/1] shared/shell: Fix crash on bluetoothctl command completion
2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera
@ 2026-03-19 13:30 ` Bastien Nocera
2026-03-19 15:02 ` bluez.test.bot
1 sibling, 0 replies; 4+ messages in thread
From: Bastien Nocera @ 2026-03-19 13:30 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Wouter
On Thu, 2026-03-19 at 14:25 +0100, Bastien Nocera wrote:
> Don't try to complete empty commands, leading to invalid reads and
> crashes.
I forgot to add Wouter's explanation on how to reproduce the bug. Let
me know if I should send a v2 (probably next week).
Cheers
>
> ==1430873== Invalid read of size 1
> ==1430873== at 0x484BC77: strcmp (vg_replace_strmem.c:941)
> ==1430873== by 0x435063: menu_completion (shell.c:1126)
> ==1430873== by 0x4352F0: shell_completion (shell.c:1177)
> ==1430873== by 0x4A2542B: gen_completion_matches (complete.c:1282)
> ==1430873== by 0x4A2E9CD: rl_complete_internal (complete.c:2104)
> ==1430873== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944)
> ==1430873== by 0x4A26ADF: readline_internal_char (readline.c:693)
> ==1430873== by 0x4A46CE4: rl_callback_read_char (callback.c:275)
> ==1430873== by 0x435E54: bt_shell_input_line (shell.c:309)
> ==1430873== by 0x436A34: watch_callback (io-glib.c:173)
> ==1430873== by 0x490A322: g_main_dispatch (gmain.c:3565)
> ==1430873== by 0x490A322:
> g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425)
> ==1430873== by 0x4913277: g_main_context_iterate_unlocked.isra.0
> (gmain.c:4490)
> ==1430873== Address 0x0 is not stack'd, malloc'd or (recently)
> free'd
>
> ==1516885== at 0x484A126: rindex (vg_replace_strmem.c:216)
> ==1516885== by 0x4353AA: submenu_completion (shell.c:1153)
> ==1516885== by 0x4353AA: shell_completion (shell.c:1187)
> ==1516885== by 0x4A2542B: gen_completion_matches (complete.c:1282)
> ==1516885== by 0x4A2E9CD: rl_complete_internal (complete.c:2104)
> ==1516885== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944)
> ==1516885== by 0x4A26ADF: readline_internal_char (readline.c:693)
> ==1516885== by 0x4A46CE4: rl_callback_read_char (callback.c:275)
> ==1516885== by 0x435E94: bt_shell_input_line (shell.c:309)
> ==1516885== by 0x436A74: watch_callback (io-glib.c:173)
> ==1516885== by 0x490A322: g_main_dispatch (gmain.c:3565)
> ==1516885== by 0x490A322:
> g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425)
> ==1516885== by 0x4913277: g_main_context_iterate_unlocked.isra.0
> (gmain.c:4490)
> ==1516885== by 0x491351E: g_main_loop_run (gmain.c:4695)
> ==1516885== Address 0x0 is not stack'd, malloc'd or (recently)
> free'd
>
> Reported-by: Wouter <wouter@xesxen.nl>
>
> ---
> src/shared/shell.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/src/shared/shell.c b/src/shared/shell.c
> index b061f8001414..805f4b77016b 100644
> --- a/src/shared/shell.c
> +++ b/src/shared/shell.c
> @@ -1122,6 +1122,9 @@ static char **menu_completion(const struct
> bt_shell_menu_entry *entry,
> {
> char **matches = NULL;
>
> + if (argc == 0)
> + return NULL;
> +
> for (; entry->cmd; entry++) {
> if (strcmp(entry->cmd, input_cmd))
> continue;
> @@ -1146,6 +1149,8 @@ static char **submenu_completion(const char
> *text, int argc, char *input_cmd)
>
> if (data.main != data.menu)
> return NULL;
> + if (!input_cmd)
> + return NULL;
>
> cmd = strrchr(input_cmd, '.');
> if (!cmd)
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: shared/shell: Fix crash on bluetoothctl command completion
2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera
2026-03-19 13:30 ` Bastien Nocera
@ 2026-03-19 15:02 ` bluez.test.bot
1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-03-19 15:02 UTC (permalink / raw)
To: linux-bluetooth, hadess
[-- Attachment #1: Type: text/plain, Size: 1671 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1069297
---Test result---
Test Summary:
CheckPatch PENDING 0.41 seconds
GitLint PENDING 0.41 seconds
BuildEll PASS 21.01 seconds
BluezMake PASS 651.40 seconds
MakeCheck PASS 19.20 seconds
MakeDistcheck PASS 249.49 seconds
CheckValgrind PASS 297.12 seconds
CheckSmatch WARNING 359.34 seconds
bluezmakeextell PASS 185.96 seconds
IncrementalBuild PENDING 0.42 seconds
ScanBuild PASS 1010.58 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
https://github.com/bluez/bluez/pull/1974/checks
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-19 15:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-19 13:25 [PATCH BlueZ 0/1] shared/shell: Fix crash on bluetoothctl command completion Bastien Nocera
2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera
2026-03-19 13:30 ` Bastien Nocera
2026-03-19 15:02 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox