``` char descriptor_cookie_tmp[REND_DESC_COOKIE_LEN+2]; ... if (base64_decode(descriptor_cookie_tmp, sizeof(descriptor_cookie_tmp), descriptor_cookie_base64ext, strlen(descriptor_cookie_base64ext)) < 0) { log_warn(LD_CONFIG, "Decoding authorization cookie failed: '%s'", descriptor_cookie); goto err; } auth_type_val = (descriptor_cookie_tmp[16] >> 4) + 1; ``` `descriptor_cookie_tmp` is a char array and chars are signed. The right shift there can cause undefined behavior if `descriptor_cookie_tmp[16]` is a negative value. Reported on IRC.