Off-by-one out-of-bounds read in Tor BEGIN cell flags parsing (connection_edge.c)
Reported via [hackerone](https://hackerone.com/reports/3682440)
# Summary:
An off-by-one error in Tor's begin_cell_parse() function in src/core/or/connection_edge.c allows a malicious Tor client to trigger a 1-byte out-of-bounds read on an
exit relay. The boundary check for the optional 4-byte flags field after the NUL-terminated address:port string uses >= instead of >, causing get_uint32(nul+1) to read
1 byte past the relay cell payload declared length. Since the relay_msg_t body pointer references a stack-allocated cell_t.payload[509] array, this could read 1 byte of
uninitialized stack memory.
# Steps To Reproduce:
A crafted RELAY_COMMAND_BEGIN cell with NUL positioned at exactly body[length-4] triggers the bug.
# Buggy code snippet
```
STATIC int
begin_cell_parse(const relay_msg_t *msg, begin_cell_t *bcell,
uint8_t *end_reason_out)
{
const uint8_t *body, *nul;
// ...
body = msg->body;
nul = memchr(body, 0, msg->length);
if (! nul) {
// ... error handling
return -1;
}
// ... address:port parsing ...
if (body + msg->length >= nul + 4) // BUG: should be >
bcell->flags = ntohl(get_uint32(nul+1)); // reads 4 bytes at nul+1
return 0;
}
```
# Impact
Worst case scenario : ASan-crash claim. For now, OOB read only changes bcell->flags, which modify IPV4/IPV6 preference.
issue