From 546ddbcd5bd76def3bb51114d4e1e6eb93eb16e7 Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Sat, 30 Jun 2018 17:02:23 +0900
Subject: [PATCH] ipc-server: fix double-free on send error in ipc_send_event

ipc_send_reply already does client disconnect on error, so we shouldn't
do it again.
We also need to process current index again as disconnect removes client
from the list we currently are processing (this is an indexed "list")

Found through static analysis.
---
 sway/ipc-server.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sway/ipc-server.c b/sway/ipc-server.c
index 241fe742..ec933ec3 100644
--- a/sway/ipc-server.c
+++ b/sway/ipc-server.c
@@ -263,7 +263,10 @@ static void ipc_send_event(const char *json_string, enum ipc_command_type event)
 		client->current_command = event;
 		if (!ipc_send_reply(client, json_string, (uint32_t) strlen(json_string))) {
 			wlr_log_errno(L_INFO, "Unable to send reply to IPC client");
-			ipc_client_disconnect(client);
+			/* ipc_send_reply destroys client on error, which also
+			 * removes it from the list, so we need to process
+			 * current index again */
+			i--;
 		}
 	}
 }