1 files changed, 14 insertions, 1 deletions

diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 6b94c6bfd..8502ff2bf 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -2101,7 +2101,7 @@ routerstatus_parse_entry_from_string(memarea_t *area,
     for (i=0; i < tok->n_args; ++i) {
       int p = smartlist_string_pos(vote->known_flags, tok->args[i]);
       if (p >= 0) {
-        vote_rs->flags |= (1<<p);
+        vote_rs->flags |= (U64_LITERAL(1)<<p);
       } else {
         log_warn(LD_DIR, "Flags line had a flag %s not listed in known_flags.",
                  escaped(tok->args[i]));
@@ -3004,6 +3004,16 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
     log_warn(LD_DIR, "known-flags not in order");
     goto err;
   }
+  if (ns->type != NS_TYPE_CONSENSUS &&
+      smartlist_len(ns->known_flags) > MAX_KNOWN_FLAGS_IN_VOTE) {
+    /* If we allowed more than 64 flags in votes, then parsing them would make
+     * us invoke undefined behavior whenever we used 1<<flagnum to do a
+     * bit-shift. This is only for votes and opinions: consensus users don't
+     * care about flags they don't recognize, and so don't build a bitfield
+     * for them. */
+    log_warn(LD_DIR, "Too many known-flags in consensus vote or opinion");
+    goto err;
+  }
 
   tok = find_opt_by_keyword(tokens, K_PARAMS);
   if (tok) {
@@ -4854,6 +4864,9 @@ rend_parse_v2_service_descriptor(rend_service_descriptor_t **parsed_out,
                                    10, 0, INT_MAX, &num_ok, NULL);
     if (!num_ok) /* It's a string; let's ignore it. */
       continue;
+    if (version >= REND_PROTOCOL_VERSION_BITMASK_WIDTH)
+      /* Avoid undefined left-shift behaviour. */
+      continue;
     result->protocols |= 1 << version;
   }
   SMARTLIST_FOREACH(versions, char *, cp, tor_free(cp));