We try to squeeze a two-byte version into a one-byte link_proto
int highest_supported_version = 0;
...
uint16_t v = ntohs(get_uint16(cp));
if (is_or_protocol_version_known(v) && v > highest_supported_version)
highest_supported_version = v;
...
chan->conn->link_proto = highest_supported_version;
But
uint8_t link_proto; /**< What protocol version are we using? 0 for
* "none negotiated yet." */
So these checks in channel_tls_process_versions_cell():
if (!highest_supported_version) {
...
} else if (highest_supported_version == 1) {
...
} else if (highest_supported_version < 3 &&
chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V3) {
...
} else if (highest_supported_version != 2 &&
chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
can all be bypassed by sending 0x0101 rather than 0x0001, etc.
Reported by bob from irc. He says there are triggerable asserts, but he didn't clarify which one.
See also #8059 (moved) for a nearby bug.