server: fix potential memleak and NULL deref

If for some reason that errno is neither value (ENOMEM or
EINVAL), then prior to this patch, there would be a NULL
deref in wl_closure_lookup(...) at the "else if" conditional
when closure == NULL. Also, closure might not be NULL but still
fall into the block due to the wl_closure_lookup < 0 condition...
in that case, we need to destroy the closure to avoid a memory
leak.

Currently, wl_connection_demarshal only sets errno to ENOMEM
or EINVAL... we've already checked for ENOMEM so remove check
for EINVAL (just assume it).  Also, call wl_closure_destroy(...)
unconditionally in the "else if" block (assume it can handle
NULL closure, too, which it does right now).

Signed-off-by: U. Artie Eoff <ullysses.a.eoff@intel.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/wayland-server.c b/src/wayland-server.c
index f2b1b42..e850d48 100644
--- a/src/wayland-server.c
+++ b/src/wayland-server.c
@@ -313,7 +313,7 @@ wl_client_connection_data(int fd, uint32_t mask, void *data)
 		if (closure == NULL && errno == ENOMEM) {
 			wl_resource_post_no_memory(resource);
 			break;
-		} else if ((closure == NULL && errno == EINVAL) ||
+		} else if (closure == NULL ||
 			   wl_closure_lookup_objects(closure, &client->objects) < 0) {
 			wl_resource_post_error(client->display_resource,
 					       WL_DISPLAY_ERROR_INVALID_METHOD,
@@ -321,6 +321,7 @@ wl_client_connection_data(int fd, uint32_t mask, void *data)
 					       object->interface->name,
 					       object->id,
 					       message->name);
+			wl_closure_destroy(closure);
 			break;
 		}