Off-by-one out-of-bounds read in Tor BEGIN cell flags parsing (connection_edge.c)
Reported via [hackerone](https://hackerone.com/reports/3682440) # Summary: An off-by-one error in Tor's begin_cell_parse() function in src/core/or/connection_edge.c allows a malicious Tor client to trigger a 1-byte out-of-bounds read on an exit relay. The boundary check for the optional 4-byte flags field after the NUL-terminated address:port string uses >= instead of >, causing get_uint32(nul+1) to read 1 byte past the relay cell payload declared length. Since the relay_msg_t body pointer references a stack-allocated cell_t.payload[509] array, this could read 1 byte of uninitialized stack memory. # Steps To Reproduce: A crafted RELAY_COMMAND_BEGIN cell with NUL positioned at exactly body[length-4] triggers the bug. # Buggy code snippet ``` STATIC int begin_cell_parse(const relay_msg_t *msg, begin_cell_t *bcell, uint8_t *end_reason_out) { const uint8_t *body, *nul; // ... body = msg->body; nul = memchr(body, 0, msg->length); if (! nul) { // ... error handling return -1; } // ... address:port parsing ... if (body + msg->length >= nul + 4) // BUG: should be > bcell->flags = ntohl(get_uint32(nul+1)); // reads 4 bytes at nul+1 return 0; } ``` # Impact Worst case scenario : ASan-crash claim. For now, OOB read only changes bcell->flags, which modify IPV4/IPV6 preference. 
issue