[Openvpn-devel] [XS] Change in openvpn[release/2.7]: Fix 1-byte buffer overrun on NTLMv2 proxy responses.

Wed, 17 Jun 2026 10:49:00 -0700 

Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

    http://gerrit.openvpn.net/c/openvpn/+/1713?usp=email

to look at the new patch set (#2).


Change subject: Fix 1-byte buffer overrun on NTLMv2 proxy responses.
......................................................................

Fix 1-byte buffer overrun on NTLMv2 proxy responses.

An attacker controlling an HTTP proxy (or performing MITM on the
plaintext pre-TLS proxy connection) can trigger a single 0-byte
overrun to a buffer on the stack by sending a crafted NTLM Type
2 challenge response.

The effects of this depend on memory layout, but could possibly lead
to a crashing OpenVPN client.

Reported-by: Tristan Madani (@TristanInSec)
CVE: 2026-11771
Github: OpenVPN/openvpn-private-issues#116

Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6
Signed-off-by: Gert Doering <[email protected]>
---
M src/openvpn/ntlm.c
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/13/1713/2

diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 244ee94..9c4edf9 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -317,7 +317,7 @@
     if ((flags & 0x00800000) == 0x00800000)
     {
         tib_len = buf2[0x28]; /* Get Target Information block size */
-        if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response))
+        if (tib_len + 0x1c + 16 >= sizeof(ntlmv2_response))
         {
             msg(M_WARN, "NTLM: target information buffer too long for response 
(len=%d)", tib_len);
             return NULL;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1713?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: release/2.7
Gerrit-Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6
Gerrit-Change-Number: 1713
Gerrit-PatchSet: 2
Gerrit-Owner: cron2 <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>

_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to