git.ipfire.org Git - thirdparty/tor.git/commit

author	Nick Mathewson <nickm@torproject.org>
	Mon, 17 Sep 2012 13:52:43 +0000 (09:52 -0400)
committer	Nick Mathewson <nickm@torproject.org>
	Mon, 17 Sep 2012 14:28:14 +0000 (10:28 -0400)
commit	96d2a21683cdfe25b549e13fa450d4b12fb945b2
tree	64fe4f8b4d134fb9c607754463946dc74606ad4d	tree \| snapshot
parent	2939cc3ba3afe5ef2c6a273eef18577274e6867b	commit \| diff

Avoid sign-extending when computing rend auth type.

Right-shifting negative values has implementation-defined behavior.
On all the platforms we work on right now, the behavior is to
sign-extend the input.  That isn't what we wanted in

    auth_type_val = (descriptor_cookie_tmp[16] >> 4) + 1;

Fix for 6861; bugfix on 0.2.1.5-alpha; reported pseudonymously.

The broken behavior didn't actually hurt anything, I think, since the
only way to get sign-extension to happen would be to have the top bit
of descriptor_cookie_tmp[16] set, which would make the value of
descriptor_cookie_tmp[16] >> 4 somewhere between 0b11111111 and
0b11111000 (that is, between -1 and -8).  So auth_type_val would be
between -7 and 0.  And the immediate next line does:

    if (auth_type_val < 1 || auth_type_val > 2) {

So the incorrectly computed auth_type_val would be rejected as
invalid, just as a correctly computed auth_type_val would be.

Still, this stuff shouldn't sit around the codebase.

changes/bug6861	[new file with mode: 0644]	blob
src/or/rendclient.c		diff \| blob \| blame \| history