Tor configuration policies using network CIDR syntax should clamp mask bits appropriately

Tor configuration policies using network CIDR syntax like 224.0.0.0/8 should clamp mask bits appropriately to IANA and network prefix.

An example bad configuration spotted in the wild: 224.0.0.0/3 which represents a binary 11100000.00000000.00000000.00000000 & 00011111.11111111.11111111.11111111 in tor_addr_compare_masked which results in a comparison of only the first three bits of any comparison network under test.

Improve Tor to implement a clamp mask, and warn on a configuration policy that specifies an invalid mask per network prefix.

The netmask clamp would ensure that mask bits number at least 8 bits or more, meaning a /8 or smaller network policy. See https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

The netmask clamp would ensure that mask bits number at least the same number of bits in the network prefix, if the network prefix bits number 8 or more themselves.

Trac:
Username: anon

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information