Fix a nigh-impossible overflow in cpuworker.c

When we compute the estimated microseconds we need to handle our
pending onionskins, we could (in principle) overflow a uint32_t if
we ever had 4 million pending onionskins before we had any data
about how onionskins take.  Nevertheless, let's compute it properly.

Fixes bug 8210; bugfix on 0.2.4.10. Found by coverity; this is CID
980651.

changes/bug8210

@@ -0,0 +1,6 @@
+  o Minor bugfixes:
+    - Fix an impossible-to-trigger integer overflow when
+      estimating how long out onionskin queue would take.  (This overflow
+      would require us to accept 4 million onionskins before processing
+      100 of them.) Fixes bug 8210; bugfix on 0.2.4.10-alpha.
+       

src/or/cpuworker.c

@@ -222,10 +222,10 @@ uint64_t
 estimated_usec_for_onionskins(uint32_t n_requests, uint16_t onionskin_type)
 {
   if (onionskin_type > MAX_ONION_HANDSHAKE_TYPE) /* should be impossible */
-    return 1000 * n_requests;
+    return 1000 * (uint64_t)n_requests;
   if (PREDICT_UNLIKELY(onionskins_n_processed[onionskin_type] < 100)) {
     /* Until we have 100 data points, just asssume everything takes 1 msec. */
-    return 1000 * n_requests;
+    return 1000 * (uint64_t)n_requests;
   } else {
     /* This can't overflow: we'll never have more than 500000 onionskins
      * measured in onionskin_usec_internal, and they won't take anything near