GDB ret “cannot access memory at address”

Put simply:

top of stack ($esp) = 0xbffff49c.
gdb executes ret instruction, which responds with Cannot access memory at address 0x90909094.

What reason would gdb be trying to access 0x90909094 when the value at the top of the stack is 0xbffff49c?

Random info (in case it's needed):

[----------------------------------registers-----------------------------------]
EAX: 0x5a ('Z')
EBX: 0xb7fbeff4 --> 0x15ed7c 
ECX: 0xbffff428 --> 0xb7fbf4e0 --> 0xfbad2a84 
EDX: 0xb7fc0360 --> 0x0 
ESI: 0x0
EDI: 0x0 
EBP: 0x90909090 
ESP: 0xbffff49c --> 0xbffff450 --> 0xdb31c031 
EIP: 0x80485dd (<greeting+113>: ret)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80485d0 <greeting+100>:    mov    DWORD PTR [esp],0x80487f4
   0x80485d7 <greeting+107>:    call   0x80483f0 <printf@plt>
   0x80485dc <greeting+112>:    leave  
=> 0x80485dd <greeting+113>:    ret    
   0x80485de <checkPassword>:   push   ebp
   0x80485df <checkPassword+1>: mov    ebp,esp
   0x80485e1 <checkPassword+3>: push   ebx
   0x80485e2 <checkPassword+4>: sub    esp,0x64
[------------------------------------stack-------------------------------------]
0000| 0xbffff49c --> 0xbffff450 --> 0xdb31c031 
0004| 0xbffff4a0 --> 0x0 
0008| 0xbffff4a4 --> 0xbffff564 --> 0xbffff6b2 ("/root/Desktop/CSCE_526/task1")
0012| 0xbffff4a8 --> 0x804876b (<__libc_csu_init+11>:   add    ebx,0x1351)
0016| 0xbffff4ac --> 0xb7fbeff4 --> 0x15ed7c 
0020| 0xbffff4b0 --> 0x8048760 (<__libc_csu_init>:  push   ebp)
0024| 0xbffff4b4 --> 0x0 
0028| 0xbffff4b8 --> 0xbffff538 --> 0x0 
[------------------------------------------------------------------------------]
gdb-peda$ n
Cannot access memory at address 0x90909094

I'm overflowing a buffer and trying to get it to execute some shellcode, but I'm not sure if those details are relevant considering the simplicity of the question: why is ret trying to access data not on the top of the stack?

It looks to me as if your debugger isn't showing the register state after the leave instruction, but before it.

I believe leave does esp = ebp and that would make sense because the address it cannot access is one word after the address stored in ebp.

So I think that the problem isn't the destination of ret but happens when ret goes to access the stack to retrieve its return address.

Edit: Actually I now believe the access violation is happening inside the leave instruction and ret never executes at all. leave also tries to pop ebp and I think the access violation is there.

See some information on leave here: Why does leave do "mov esp,ebp" in x86 assembly?