From 0f23b73a0641461884a9a8d626ce087d76406840 Mon Sep 17 00:00:00 2001 From: "U. Artie Eoff" Date: Mon, 5 May 2014 16:28:26 -0700 Subject: [PATCH] server: fix potential memleak and NULL deref If for some reason that errno is neither value (ENOMEM or EINVAL), then prior to this patch, there would be a NULL deref in wl_closure_lookup(...) at the "else if" conditional when closure == NULL. Also, closure might not be NULL but still fall into the block due to the wl_closure_lookup < 0 condition... in that case, we need to destroy the closure to avoid a memory leak. Currently, wl_connection_demarshal only sets errno to ENOMEM or EINVAL... we've already checked for ENOMEM so remove check for EINVAL (just assume it). Also, call wl_closure_destroy(...) unconditionally in the "else if" block (assume it can handle NULL closure, too, which it does right now). Signed-off-by: U. Artie Eoff --- src/wayland-server.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/wayland-server.c b/src/wayland-server.c index f2b1b426..e850d48a 100644 --- a/src/wayland-server.c +++ b/src/wayland-server.c @@ -313,7 +313,7 @@ wl_client_connection_data(int fd, uint32_t mask, void *data) if (closure == NULL && errno == ENOMEM) { wl_resource_post_no_memory(resource); break; - } else if ((closure == NULL && errno == EINVAL) || + } else if (closure == NULL || wl_closure_lookup_objects(closure, &client->objects) < 0) { wl_resource_post_error(client->display_resource, WL_DISPLAY_ERROR_INVALID_METHOD, @@ -321,6 +321,7 @@ wl_client_connection_data(int fd, uint32_t mask, void *data) object->interface->name, object->id, message->name); + wl_closure_destroy(closure); break; }