Attention is currently required from: cron2. plaisthos has posted comments on this change by cron2. ( http://gerrit.openvpn.net/c/openvpn/+/1713?usp=email )
Change subject: Fix 1-byte buffer overrun on NTLMv2 proxy responses. ...................................................................... Patch Set 2: Code-Review+2 (3 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/1713/comment/a1104ba8_b5c0316f?usp=email : PS2, Line 10: plaintext pre-TLS proxy connection) can trigger a single 0-byte A 0 byte overrun sounds like not an overrun at all. The subject also says 1 byte. File src/openvpn/ntlm.c: http://gerrit.openvpn.net/c/openvpn/+/1713/comment/9eaf74ec_648ccee9?usp=email : PS2, Line 214: uint8_t *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */ So this pointer aliases ntlmv2_response. The length: 128 is weird and probably incorrect or meant as some maximum that normally occurs? I don't know. Since we already removed this in master, I think we can ignore it. http://gerrit.openvpn.net/c/openvpn/+/1713/comment/775331cc_3f049b8e?usp=email : PS2, Line 348: ntlmv2_blob[0x1c + tib_len] = 0; Here we then have the off by one. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1713?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: release/2.7 Gerrit-Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6 Gerrit-Change-Number: 1713 Gerrit-PatchSet: 2 Gerrit-Owner: cron2 <[email protected]> Gerrit-Reviewer: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]> Gerrit-Attention: cron2 <[email protected]> Gerrit-Comment-Date: Thu, 18 Jun 2026 12:21:08 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
