ipc-server: fix more use-after-frees on ipc_send_reply error

Since ipc_send_reply frees the client on error, we need to check the return value properly as we access client later on Found through static analysis.
author: Dominique Martinet <asmadeus@codewreck.org> 2018-06-30 17:18:47 +0900
committer: Dominique Martinet <asmadeus@codewreck.org> 2018-07-02 08:03:41 +0900
commit: ebe69583c7304fe50247b5929106e3e5ce95b53a (patch)
tree: 6c883eb3098c6d50741f61da4fcda78c42e434c7
parent: 0ab04b7434306c5faceda2b4d2922e9d78de0184 (diff)
1 files changed, 31 insertions, 15 deletions
diff --git a/sway/ipc-server.c b/sway/ipc-server.c
index 2dfe2d03..3e510c2e 100644
--- a/sway/ipc-server.c
+++ b/sway/ipc-server.c
@@ -466,6 +466,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
 	}
 	buf[client->payload_length] = '\0';
 
+	bool client_valid = true;
 	switch (client->current_command) {
 	case IPC_COMMAND:
 	{
@@ -473,7 +474,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
 		const char *json = cmd_results_to_json(results);
 		char reply[256];
 		int length = snprintf(reply, sizeof(reply), "%s", json);
-		ipc_send_reply(client, reply, (uint32_t) length);
+		client_valid = ipc_send_reply(client, reply, (uint32_t)length);
 		free_cmd_results(results);
 		goto exit_cleanup;
 	}
@@ -496,7 +497,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 			}
 		}
 		const char *json_string = json_object_to_json_string(outputs);
-		ipc_send_reply(client, json_string, (uint32_t) strlen(json_string));
+		client_valid =
+			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
 		json_object_put(outputs); // free
 		goto exit_cleanup;
 	}
@@ -507,7 +509,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 		container_for_each_descendant_dfs(&root_container,
 				ipc_get_workspaces_callback, workspaces);
 		const char *json_string = json_object_to_json_string(workspaces);
-		ipc_send_reply(client, json_string, (uint32_t) strlen(json_string));
+		client_valid =
+			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
 		json_object_put(workspaces); // free
 		goto exit_cleanup;
 	}
@@ -517,7 +520,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
 		// TODO: Check if they're permitted to use these events
 		struct json_object *request = json_tokener_parse(buf);
 		if (request == NULL) {
-			ipc_send_reply(client, "{\"success\": false}", 18);
+			client_valid = ipc_send_reply(client, "{\"success\": false}", 18);
 			wlr_log_errno(L_INFO, "Failed to read request");
 			goto exit_cleanup;
 		}
@@ -538,7 +541,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 			} else if (strcmp(event_type, "binding") == 0) {
 				client->subscribed_events |= event_mask(IPC_EVENT_BINDING);
 			} else {
-				ipc_send_reply(client, "{\"success\": false}", 18);
+				client_valid =
+					ipc_send_reply(client, "{\"success\": false}", 18);
 				json_object_put(request);
 				wlr_log_errno(L_INFO, "Failed to parse request");
 				goto exit_cleanup;
@@ -546,7 +550,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
 		}
 
 		json_object_put(request);
-		ipc_send_reply(client, "{\"success\": true}", 17);
+		client_valid = ipc_send_reply(client, "{\"success\": true}", 17);
 		goto exit_cleanup;
 	}
 
@@ -558,7 +562,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 			json_object_array_add(inputs, ipc_json_describe_input(device));
 		}
 		const char *json_string = json_object_to_json_string(inputs);
-		ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
+		client_valid =
+			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
 		json_object_put(inputs); // free
 		goto exit_cleanup;
 	}
@@ -571,7 +576,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 			json_object_array_add(seats, ipc_json_describe_seat(seat));
 		}
 		const char *json_string = json_object_to_json_string(seats);
-		ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
+		client_valid =
+			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
 		json_object_put(seats); // free
 		goto exit_cleanup;
 	}
@@ -581,7 +587,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 		json_object *tree =
 			ipc_json_describe_container_recursive(&root_container);
 		const char *json_string = json_object_to_json_string(tree);
-		ipc_send_reply(client, json_string, (uint32_t) strlen(json_string));
+		client_valid =
+			ipc_send_reply(client, json_string, (uint32_t) strlen(json_string));
 		json_object_put(tree);
 		goto exit_cleanup;
 	}
@@ -592,7 +599,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 		container_descendants(&root_container, C_VIEW, ipc_get_marks_callback,
 				marks);
 		const char *json_string = json_object_to_json_string(marks);
-		ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
+		client_valid =
+			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
 		json_object_put(marks);
 		goto exit_cleanup;
 	}
@@ -601,7 +609,8 @@ void ipc_client_handle_command(struct ipc_client *client) {
 	{
 		json_object *version = ipc_json_get_version();
 		const char *json_string = json_object_to_json_string(version);
-		ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
+		client_valid =
+			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
 		json_object_put(version); // free
 		goto exit_cleanup;
 	}
@@ -616,7 +625,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 				json_object_array_add(bars, json_object_new_string(bar->id));
 			}
 			const char *json_string = json_object_to_json_string(bars);
-			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
+			client_valid =
+				ipc_send_reply(client, json_string,
+					(uint32_t)strlen(json_string));
 			json_object_put(bars); // free
 		} else {
 			// Send particular bar's details
@@ -630,12 +641,15 @@ void ipc_client_handle_command(struct ipc_client *client) {
 			}
 			if (!bar) {
 				const char *error = "{ \"success\": false, \"error\": \"No bar with that ID\" }";
-				ipc_send_reply(client, error, (uint32_t)strlen(error));
+				client_valid =
+					ipc_send_reply(client, error, (uint32_t)strlen(error));
 				goto exit_cleanup;
 			}
 			json_object *json = ipc_json_describe_bar_config(bar);
 			const char *json_string = json_object_to_json_string(json);
-			ipc_send_reply(client, json_string, (uint32_t)strlen(json_string));
+			client_valid =
+				ipc_send_reply(client, json_string,
+					(uint32_t)strlen(json_string));
 			json_object_put(json); // free
 		}
 		goto exit_cleanup;
@@ -647,7 +661,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 	}
 
 exit_cleanup:
-	client->payload_length = 0;
+	if (client_valid) {
+		client->payload_length = 0;
+	}
 	free(buf);
 	return;
 }
author	Dominique Martinet <asmadeus@codewreck.org>	2018-06-30 17:18:47 +0900
committer	Dominique Martinet <asmadeus@codewreck.org>	2018-07-02 08:03:41 +0900
commit	ebe69583c7304fe50247b5929106e3e5ce95b53a (patch)
tree	6c883eb3098c6d50741f61da4fcda78c42e434c7
parent	0ab04b7434306c5faceda2b4d2922e9d78de0184 (diff)