diff mbox series

[Openvpn-devel,v2] Fix 1-byte buffer overrun on NTLMv2 proxy responses.

Message ID 20260618123729.18337-1-gert@greenie.muc.de
State New
Headers
Series [Openvpn-devel,v2] Fix 1-byte buffer overrun on NTLMv2 proxy responses. |

Commit Message

Gert Doering June 18, 2026, 12:37 p.m. UTC 
  An attacker controlling an HTTP proxy (or performing MITM on the
plaintext pre-TLS proxy connection) can trigger a single 0-byte
overrun to a buffer on the stack by sending a crafted NTLM Type
2 challenge response.

The effects of this depend on memory layout, but could possibly lead
to a crashing OpenVPN client.

Reported-by: Tristan Madani (@TristanInSec)
CVE: 2026-11771
Github: OpenVPN/openvpn-private-issues#116

Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1713
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to release/2.7.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1713
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>
diff mbox series

Patch

diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 244ee94..9c4edf9 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -317,7 +317,7 @@ 
     if ((flags & 0x00800000) == 0x00800000)
     {
         tib_len = buf2[0x28]; /* Get Target Information block size */
-        if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response))
+        if (tib_len + 0x1c + 16 >= sizeof(ntlmv2_response))
         {
             msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len);
             return NULL;