Device can't be 'alreadyHere' if has hostID of 0 since the only way a

device gets registered involves giving it a non-0 hostID. Fixes array OOB access.
2025-01-30 08:34:16 +01:00 · 2013-08-14 08:10:09 -07:00 · 2013-08-14 08:10:09 -07:00 · fe51d19c2e
commit fe51d19c2e
parent 80f66d1df7
1 changed files with 14 additions and 12 deletions
--- a/xwords4/relay/cref.cpp
+++ b/xwords4/relay/cref.cpp
@ -379,18 +379,20 @@ CookieRef::AlreadyHere( HostID hid, unsigned short seed, const AddrInfo* addr,
          hid, seed, seed, addr->socket() );
    bool here = false;

-    RWWriteLock rwl( &m_socketsRWLock );
-    HostRec* hr = m_sockets[hid-1];
-    if ( !!hr ) {
-        if ( seed != hr->m_seed ) {
-            *spotTaken = true;
-        } else if ( addr->equals( hr->m_addr ) ) {
-            here = true;    /* dup packet */
-        } else {
-            logf( XW_LOGINFO, "%s: hids match; nuking existing record "
-                  "for socket b/c assumed closed", __func__ );
-            delete hr;
-            m_sockets[hid-1] = NULL;
+    if ( HOST_ID_NONE != hid ) {
+        RWWriteLock rwl( &m_socketsRWLock );
+        HostRec* hr = m_sockets[hid-1];
+        if ( !!hr ) {
+            if ( seed != hr->m_seed ) {
+                *spotTaken = true;
+            } else if ( addr->equals( hr->m_addr ) ) {
+                here = true;    /* dup packet */
+            } else {
+                logf( XW_LOGINFO, "%s: hids match; nuking existing record "
+                      "for socket b/c assumed closed", __func__ );
+                delete hr;
+                m_sockets[hid-1] = NULL;
+            }
        }
    }