Fix an uninitialized-read when parsing v3 introduction requests.

Fortunately, later checks mean that uninitialized data can't get sent
to the network by this bug.  Unfortunately, reading uninitialized heap
*can* (in some cases, with some allocators) cause a crash if you get
unlucky and go off the end of a page.

Found by asn.  Bugfix on 0.2.4.1-alpha.

changes/v3_intro_len

@@ -0,0 +1,8 @@
+  o Major bugfixes:
+
+    - Fix an uninitialized read that could (in some cases) lead to a remote
+      crash while parsing INTRODUCE 1 cells. (This is, so far as we know,
+      unrelated to the recent news.)  Fixes bug XXX; bugfix on
+      0.2.4.1-alpha. Anybody running a hidden service on the experimental
+      0.2.4.x branch should upgrade.
+

src/or/rendservice.c

@@ -1898,8 +1898,8 @@ rend_service_parse_intro_for_v3(
       }
   }
 
-  /* Check that we actually have everything up to the timestamp */
-  if (plaintext_len < (size_t)(ts_offset)) {
+  /* Check that we actually have everything up through the timestamp */
+  if (plaintext_len < (size_t)(ts_offset)+4) {
     if (err_msg_out) {
       tor_asprintf(err_msg_out,
                    "truncated plaintext of encrypted parted of "
@@ -1922,12 +1922,6 @@ rend_service_parse_intro_for_v3(
     memcpy(intro->u.v3.auth_data, buf + 4, intro->u.v3.auth_len);
   }
 
-  /*
-   * Apparently we don't use the timestamp any more, but might as well copy
-   * over just in case we ever care about it.
-   */
-  intro->u.v3.timestamp = ntohl(get_uint32(buf + ts_offset));
-
   /*
    * From here on, the format is as in v2, so we call the v2 parser with
    * adjusted buffer and length.  We are 4 + ts_offset octets in, but the

src/or/rendservice.h

@@ -56,8 +56,6 @@ struct rend_intro_cell_s {
       uint16_t auth_len;
       /* Auth data */
       uint8_t *auth_data;
-      /* timestamp */
-      uint32_t timestamp;
       /* Rendezvous point's IP address/port, identity digest and onion key */
       extend_info_t *extend_info;
     } v3;