1 files changed, 2 insertions, 1 deletions

diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index b6abf14a11..f74bb97ee2 100644
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -135,7 +135,7 @@ static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
 /* Descriptor ruleset for the encrypted section. */
 static token_rule_t hs_desc_encrypted_v3_token_table[] = {
   T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
-  T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
+  T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ),
   T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
   END_OF_TABLE
 };
@@ -2312,6 +2312,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
   /* Authentication type. It's optional but only once. */
   tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
   if (tok) {
+    tor_assert(tok->n_args >= 1);
     if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
       log_warn(LD_REND, "Service descriptor authentication type has "
                         "invalid entry(ies).");