From patchwork Thu Jun 18 12:37:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 5031 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:5c1a:b0:861:c897:cb9d with SMTP id e26csp4034800maz; Thu, 18 Jun 2026 05:37:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ+3ZkDLJDzx+7A4eJFg2at5OLUggCFUCoVMGIpsdrzKyZGGcfqwTAFZ8DSQwuqYUGJHVijGT4xBxHU=@openvpn.net X-Received: by 2002:a05:6820:818b:b0:69d:fccf:90c4 with SMTP id 006d021491bc7-6a0c7605171mr2911680eaf.23.1781786278628; Thu, 18 Jun 2026 05:37:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781786278; cv=none; d=google.com; s=arc-20240605; b=T2GLewP/01UhC+PHpHmXAhcj6UH0hJFJvT6GgEt0aChT9qgyuGU1icWHp0WTlOBqQm V/NPU6mSTKyxjsWiCukhbw/FSSf129C+93I7eoXhrjSGOuOyvB8UMbfyZrRbkf0S5H+d dQ2OgQ/BvDiMmskEIjXUmZE12KFt59Eji0BvOJ8jwQ8JZWUN4V0DkmcdjvmLP2AfA2mu bhaiAZkL4B2D7f5iLNBHCvuISn0bCmGima3hnmrG4uOq1YgLVG7IrccLGV0+6Ygk31/J Bt+gXKiXbksIQL2qSt1JeBvpL7mc/O6D/X7T07VndVmpCOiN00Z52BM4JAli5/7xPTeI tQvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=htg+3kwt+/TTY8CbK6RPskC/6MNj4aw0k1W6yVC0FCk=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=R6kIIT7EXxea6aNSfaDIsy4TZRj9pRKUoQjXhLWWbpwjJAcgqSSxouPB2Zi78Mmzm0 3i1BxwU6p9XrKB5HMs/yrSXz/iHitgVBMlBMmIn6PGv4W6EQkKyFJ/+6sZV08DdjQr/T WjmKrCeP+v9tMMA7CxcUCSVOsZhi1hQ7d1cimhLf0t+qF2knUMU5LOTOnlbDQc1JsPyo OQBo17RJrxW92ZC2LhAEF24POySTE30kanmorK+jdM3eAVbPt0+Oxw/rlBw+pseXAuUp PjvASnMVTJ2JX2w4TYDFFR64Ri/sFDco5AikvIIe9T52XFDwsQLGUlxQ4Iy5PjNw3qJ7 sTpQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=b7hVwSwN; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IAAV4kHK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=N81mtcpT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-443091ba4d6si7147570fac.194.2026.06.18.05.37.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Jun 2026 05:37:58 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=b7hVwSwN; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IAAV4kHK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=N81mtcpT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=htg+3kwt+/TTY8CbK6RPskC/6MNj4aw0k1W6yVC0FCk=; b=b7hVwSwNZRRBwSwzjTGr7GB+Tj 3/12Cj3MEyNte+FntDYLyZKd5tZZRxbkj/FWZNTPh2OcFZMnB2hX8yKxmRnBRqEnNlW2flLP5Vxta F2umYvKQ4CGJJywjEtGow6QTW/qOH3qRFQEiRcIiZDDB87ifx+nxTz3fRMvoLf05l0MQ=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1waC0E-0003RO-Dw; Thu, 18 Jun 2026 12:37:51 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1waC07-0003RF-Vi for openvpn-devel@lists.sourceforge.net; Thu, 18 Jun 2026 12:37:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=yYe8FW+dhARItwOdfpJavda190GsVTOK5OeiZYipO08=; b=IAAV4kHKezxPP8kPxP7mQEZ787 mqv08LHRW033JwTkHu/G41nXq12rAFzr9ym5ue0SYr7YzXOT4FA/6aw85mE0UiHrbmZUuZEbIxt84 /+WNQzWAaA1Yl4o8edzB5ee+v1fJVjtqowHYW0oIOfwLS/+eLJSqWGOhCwoRg4W1GxR8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yYe8FW+dhARItwOdfpJavda190GsVTOK5OeiZYipO08=; b=N81mtcpTc44RjXN1gqibeitVTk 2JJHZSegOcwStFfKMaMtpyLSNmv3GHoVrwMIH/lK9akav/SzFYwSsXCuufZ1EIVXkzp4ghzRYPDF1 VozSuLToCmZ1yhsavZrSU5r3TItn0mLK1+XTKb1v0+ZrKlagk4Jtj9GaSmi9ySjFiiz4=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1waC05-00070x-EL for openvpn-devel@lists.sourceforge.net; Thu, 18 Jun 2026 12:37:44 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 65ICbUvJ018354 for ; Thu, 18 Jun 2026 14:37:30 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 65ICbUxa018353 for openvpn-devel@lists.sourceforge.net; Thu, 18 Jun 2026 14:37:30 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 18 Jun 2026 14:37:24 +0200 Message-ID: <20260618123729.18337-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: An attacker controlling an HTTP proxy (or performing MITM on the plaintext pre-TLS proxy connection) can trigger a single 0-byte overrun to a buffer on the stack by sending a crafted NTLM Type 2 chall [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1waC05-00070x-EL Subject: [Openvpn-devel] [PATCH v2] Fix 1-byte buffer overrun on NTLMv2 proxy responses. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1868338329067362479 X-GMAIL-MSGID: 1868338329067362479 An attacker controlling an HTTP proxy (or performing MITM on the plaintext pre-TLS proxy connection) can trigger a single 0-byte overrun to a buffer on the stack by sending a crafted NTLM Type 2 challenge response. The effects of this depend on memory layout, but could possibly lead to a crashing OpenVPN client. Reported-by: Tristan Madani (@TristanInSec) CVE: 2026-11771 Github: OpenVPN/openvpn-private-issues#116 Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6 Signed-off-by: Gert Doering Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1713 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.7. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1713 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 244ee94..9c4edf9 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -317,7 +317,7 @@ if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ - if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response)) + if (tib_len + 0x1c + 16 >= sizeof(ntlmv2_response)) { msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len); return NULL;