)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"3ed6c4c9485e4b190675c74b1d59ecfe1ed75c10","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Fix 1-byte buffer overrun on NTLMv2 proxy responses."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"An attacker controlling an HTTP proxy (or performing MITM on the"},{"line_number":10,"context_line":"plaintext pre-TLS proxy connection) can trigger a single 0-byte"},{"line_number":11,"context_line":"overrun to a buffer on the stack by sending a crafted NTLM Type"},{"line_number":12,"context_line":"2 challenge response."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"a1104ba8_b5c0316f","line":10,"updated":"2026-06-18 12:21:08.000000000","message":"A 0 byte overrun sounds like not an overrun at all. The subject also says 1 byte.","commit_id":"57bce06563118f9853c6002ae87653f3ec125f15"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"b35707445dabc124d74c3af4010e0e0f385c34e0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"2e0a079d_a587e425","updated":"2026-06-18 12:21:36.000000000","message":"This is quite convoluted code but the fix looks good.","commit_id":"57bce06563118f9853c6002ae87653f3ec125f15"}],"src/openvpn/ntlm.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"3ed6c4c9485e4b190675c74b1d59ecfe1ed75c10","unresolved":true,"context_lines":[{"line_number":211,"context_line":"    char userdomain[128];   /* the same as previous but ascii */"},{"line_number":212,"context_line":"    uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH];"},{"line_number":213,"context_line":"    uint8_t ntlmv2_hmacmd5[16];"},{"line_number":214,"context_line":"    uint8_t *ntlmv2_blob \u003d ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */"},{"line_number":215,"context_line":"    int ntlmv2_blob_size \u003d 0;"},{"line_number":216,"context_line":"    int phase3_bufpos \u003d 0x40;                    /* offset to next security buffer data to be added */"},{"line_number":217,"context_line":"    size_t len;"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"9eaf74ec_648ccee9","line":214,"updated":"2026-06-18 12:21:08.000000000","message":"So this pointer aliases ntlmv2_response. The length: 128 is weird and probably incorrect or meant as some maximum that normally occurs? I don\u0027t know. Since we already removed this in master, I think we can ignore it.","commit_id":"57bce06563118f9853c6002ae87653f3ec125f15"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"3ed6c4c9485e4b190675c74b1d59ecfe1ed75c10","unresolved":true,"context_lines":[{"line_number":345,"context_line":"    }"},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"    /* Unknown, zero works */"},{"line_number":348,"context_line":"    ntlmv2_blob[0x1c + tib_len] \u003d 0;"},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"    /* Get blob length */"},{"line_number":351,"context_line":"    ntlmv2_blob_size \u003d 0x20 + tib_len;"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"775331cc_3f049b8e","line":348,"updated":"2026-06-18 12:21:08.000000000","message":"Here we then have the off by one.","commit_id":"57bce06563118f9853c6002ae87653f3ec125f15"}]}