Merge branch 'bug6833'

2 files changed, 13 insertions, 0 deletions

diff --git a/src/or/or.h b/src/or/or.h
index bb5482bf8..f7914b830 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2101,6 +2101,9 @@ typedef struct vote_microdesc_hash_t {
 typedef struct vote_routerstatus_t {
   routerstatus_t status; /**< Underlying 'status' object for this router.
                           * Flags are redundant. */
+  /** How many known-flags are allowed in a vote? This is the width of
+   * the flags field of vote_routerstatus_t */
+#define MAX_KNOWN_FLAGS_IN_VOTE 64
   uint64_t flags; /**< Bit-field for all recognized flags; index into
                    * networkstatus_t.known_flags. */
   char *version; /**< The version that the authority says this router is
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 22f7d78d8..43a95e88c 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -3004,6 +3004,16 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
     log_warn(LD_DIR, "known-flags not in order");
     goto err;
   }
+  if (ns->type != NS_TYPE_CONSENSUS &&
+      smartlist_len(ns->known_flags) > MAX_KNOWN_FLAGS_IN_VOTE) {
+    /* If we allowed more than 64 flags in votes, then parsing them would make
+     * us invoke undefined behavior whenever we used 1<<flagnum to do a
+     * bit-shift. This is only for votes and opinions: consensus users don't
+     * care about flags they don't recognize, and so don't build a bitfield
+     * for them. */
+    log_warn(LD_DIR, "Too many known-flags in consensus vote or opinion");
+    goto err;
+  }
 
   tok = find_opt_by_keyword(tokens, K_PARAMS);
   if (tok) {