Undefined behavior in rend_parse_service_authorization()
char descriptor_cookie_tmp[REND_DESC_COOKIE_LEN+2];
...
if (base64_decode(descriptor_cookie_tmp, sizeof(descriptor_cookie_tmp),
descriptor_cookie_base64ext,
strlen(descriptor_cookie_base64ext)) < 0) {
log_warn(LD_CONFIG, "Decoding authorization cookie failed: '%s'",
descriptor_cookie);
goto err;
}
auth_type_val = (descriptor_cookie_tmp[16] >> 4) + 1;
descriptor_cookie_tmp
is a char array and chars are signed. The right shift there can cause undefined behavior if descriptor_cookie_tmp[16]
is a negative value.
Reported on IRC.