Enter a nonexistent filename ending with ' and press tab. sftp will exit with "el_insertstr failed." E.g., sftp> get /us' next, hit tab result: sftp> get /us'el_insertstr failed. $
Which version of OpenBSD is this, and are you using the native openssh or -portable compiled for it? I can reproduce on openbsd 5.4. I can't reproduce on openbsd-current with either the native sftp or -portable, nor on Linux with libedit-20130712-3.1. I suspect it's a libedit bug. If I stick an abort() into the fatal function here's where it's failing: sftp> get /us'el_insertstr failed. Program received signal SIGABRT, Aborted. 0x03e6443d in kill () at <stdin>:2 2 <stdin>: No such file or directory. in <stdin> Current language: auto; currently asm (gdb) bt #0 0x03e6443d in kill () at <stdin>:2 #1 0x03ece9d6 in raise (s=6) at /usr/src/lib/libc/gen/raise.c:39 #2 0x03ece8fc in abort () at /usr/src/lib/libc/stdlib/abort.c:70 #3 0x163168ff in fatal (fmt=Could not find the frame base for "fatal". ) at fatal.c:44 #4 0x1630fd42 in complete (el=0x7cad9000, ch=9) at sftp.c:1914 #5 0x0cdece27 in el_wgets (el=0x7cad9000, nread=0xcfbca410) at read.c:612 #6 0x0cded25d in el_gets (el=0x7cad9000, nread=0xcfbca410) at eln.c:78 #7 0x1630e204 in interactive_loop (conn=0x788c3a00, file1=0x0, file2=0x0) at sftp.c:2097 #8 0x1630eeb2 in main (argc=2, argv=0xcfbcad2c) at sftp.c:2410 (gdb) frame 7 #7 0x1630e204 in interactive_loop (conn=0x788c3a00, file1=0x0, file2=0x0) at sftp.c:2097 2097 if ((line = el_gets(el, &count)) == NULL || Current language: auto; currently c (gdb) list 2092 } else { 2093 #ifdef USE_LIBEDIT 2094 const char *line; 2095 int count = 0; 2096 2097 if ((line = el_gets(el, &count)) == NULL || 2098 count <= 0) { 2099 printf("\n"); 2100 break; 2101 } (gdb) bt #0 0x03e6443d in kill () at <stdin>:2 #1 0x03ece9d6 in raise (s=6) at /usr/src/lib/libc/gen/raise.c:39 #2 0x03ece8fc in abort () at /usr/src/lib/libc/stdlib/abort.c:70 #3 0x163168ff in fatal (fmt=Could not find the frame base for "fatal". ) at fatal.c:44 #4 0x1630fd42 in complete (el=0x7cad9000, ch=9) at sftp.c:1914 #5 0x0cdece27 in el_wgets (el=0x7cad9000, nread=0xcfbca410) at read.c:612 #6 0x0cded25d in el_gets (el=0x7cad9000, nread=0xcfbca410) at eln.c:78 #7 0x1630e204 in interactive_loop (conn=0x788c3a00, file1=0x0, file2=0x0) at sftp.c:2097 #8 0x1630eeb2 in main (argc=2, argv=0xcfbcad2c) at sftp.c:2410 (gdb) frame 4 #4 0x1630fd42 in complete (el=0x7cad9000, ch=9) at sftp.c:1914 1914 fatal("el_insertstr failed."); (gdb) list 1909 if (*(lf->cursor - 1) != '/' && 1910 (lastarg || *(lf->cursor) != ' ')) 1911 ins[i++] = ' '; 1912 ins[i] = '\0'; 1913 if (i > 0 && el_insertstr(el, ins) == -1) 1914 fatal("el_insertstr failed."); 1915 } 1916 free(tmp); 1917 1918 out:
disregard the "cannot reproduce" bits, that was due to a local .editrc turning off editing, a leftover from the last editline bug I looked at.
Created attachment 2433 [details] only append quote character if non-nul Please try this patch. I think I figured it out: the string is considered unterminated (because there's an unbalanced number of quotes, but the string isn't considered quoted (because it doesn't start with a quote). In this case, sftp appends the "quote" character (which happens to be nul) then tries calls editline to append this nul string to the line, which fails.
Patch committed and will be in 6.7. Thanks for the report.
Close all bugs left open from 6.6 and 6.7 releases.