[Openvpn-devel] [XS] Change in openvpn[release/2.7]: Fix 1-byte buffer overrun on NTLMv2 proxy responses.

cron2 (Code Review) via Openvpn-devel Sat, 20 Jun 2026 03:29:56 -0700

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1713?usp=email )


Change subject: Fix 1-byte buffer overrun on NTLMv2 proxy responses.
......................................................................

Fix 1-byte buffer overrun on NTLMv2 proxy responses.

An attacker controlling an HTTP proxy (or performing MITM on the
plaintext pre-TLS proxy connection) can trigger a single 0-byte
overrun to a buffer on the stack by sending a crafted NTLM Type
2 challenge response.

The effects of this depend on memory layout, but could possibly lead
to a crashing OpenVPN client.

Reported-by: Tristan Madani (@TristanInSec)
CVE: 2026-11771
Github: OpenVPN/openvpn-private-issues#116

Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6
Signed-off-by: Gert Doering <[email protected]>
Acked-by: Arne Schwabe <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1713
Message-Id: <[email protected]>
URL: 
https://www.mail-archive.com/[email protected]/msg37218.html
Signed-off-by: Gert Doering <[email protected]>
---
M src/openvpn/ntlm.c
1 file changed, 1 insertion(+), 1 deletion(-)




diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 244ee94..9c4edf9 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -317,7 +317,7 @@
     if ((flags & 0x00800000) == 0x00800000)
     {
         tib_len = buf2[0x28]; /* Get Target Information block size */
-        if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response))
+        if (tib_len + 0x1c + 16 >= sizeof(ntlmv2_response))
         {
             msg(M_WARN, "NTLM: target information buffer too long for response 
(len=%d)", tib_len);
             return NULL;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1713?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: openvpn
Gerrit-Branch: release/2.7
Gerrit-Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6
Gerrit-Change-Number: 1713
Gerrit-PatchSet: 3
Gerrit-Owner: cron2 <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>

_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[release/2.7]: Fix 1-byte buffer overrun on NTLMv2 proxy responses.

Reply via email to