Out-of-bounds read in INTRODUCE2 with client authorization
An authorized hidden service client can cause an out-of-bounds read on a service with authorization enabled, of at most 15 bytes off the end of a malloc'd segment. The client must have a valid authorization cookie. There is no disclosure of uninitialized memory, except in an info-level log message, but there is a small chance of a crash.
In rend_check_authorization, the descriptor_cookie from the INTRODUCE2 cell is assumed to be REND_DESC_COOKIE_LEN bytes. This is checked earlier when the auth_type is 1 or 2, but not for any other non-zero auth_type.
There is a warning about unknown auth types in rend_service_validate_intro_late, but no error.