[ENet-discuss] Boundschecker finds bug, fix included

Ruud van Gaal ruud at racer.nl
Fri Oct 12 07:05:21 PDT 2007 

Hi,

I've recently obtained v1.1 of Enet, now while debugging with BoundsChecker
I get a warning in peer.cpp:

--- peer.cpp ---------------------------------------
ENetOutgoingCommand *
enet_peer_queue_outgoing_command (ENetPeer * peer, const ENetProtocol *
command, ENetPacket * packet, enet_uint32 offset, enet_uint16 length)
{
    ENetChannel * channel = & peer -> channels [command ->
header.channelID];            <= WARNING HERE
    ENetOutgoingCommand * outgoingCommand;

    peer -> outgoingDataTotal += enet_protocol_command_size (command ->
header.command) + length;

    outgoingCommand = (ENetOutgoingCommand *) enet_malloc (sizeof
(ENetOutgoingCommand));

    if (command -> header.channelID == 0xFF)
    {
       ++ peer -> outgoingReliableSequenceNumber;

       outgoingCommand -> reliableSequenceNumber = peer ->
outgoingReliableSequenceNumber;
       outgoingCommand -> unreliableSequenceNumber = 0;
    }
...
-----------------------------------------------------
The problem is that in a connect packet, header.channelID=0xFF and the
channel ptr is out of bounds. Not really a problem since it's not used in
that case, but still ugly (the pointer is bad). A fix is:

======================================================
ENetOutgoingCommand *
enet_peer_queue_outgoing_command (ENetPeer * peer, const ENetProtocol *
command, ENetPacket * packet, enet_uint32 offset, enet_uint16 length)
{
    ENetChannel * channel;
    ENetOutgoingCommand * outgoingCommand;

    peer -> outgoingDataTotal += enet_protocol_command_size (command ->
header.command) + length;

    outgoingCommand = (ENetOutgoingCommand *) enet_malloc (sizeof
(ENetOutgoingCommand));

    if (command -> header.channelID != 0xFF)
      channel = & peer -> channels [command -> header.channelID];

    if (command -> header.channelID == 0xFF)
    {
       ++ peer -> outgoingReliableSequenceNumber;
...
========================================================

I don't have a neat SVN version here (not able to commit), so if somebody
could add this fix to the code.

Thanks,
Ruud

More information about the ENet-discuss mailing list