Tor configuration policies using network CIDR syntax should clamp mask bits appropriately
Tor configuration policies using network CIDR syntax like 224.0.0.0/8 should clamp mask bits appropriately to IANA and network prefix.
An example bad configuration spotted in the wild: 224.0.0.0/3 which represents a binary 11100000.00000000.00000000.00000000 & 00011111.11111111.11111111.11111111 in tor_addr_compare_masked which results in a comparison of only the first three bits of any comparison network under test.
Improve Tor to implement a clamp mask, and warn on a configuration policy that specifies an invalid mask per network prefix.
The netmask clamp would ensure that mask bits number at least 8 bits or more, meaning a /8 or smaller network policy. See https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
The netmask clamp would ensure that mask bits number at least the same number of bits in the network prefix, if the network prefix bits number 8 or more themselves.
Trac:
Username: anon