commit f38a4a105979b87ebebe9be1c3d323116d3fb924
Author: Guido Vranken <guidovranken@gmail.com>
Date:   Fri May 19 14:04:25 2017 +0200

    Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
    
    Pre-authentication remote crash/information disclosure for clients
    
    If clients use a HTTP proxy with NTLM authentication (i.e.
    "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
    a man-in-the-middle attacker between the client and the proxy can
    cause the client to crash or disclose at most 96 bytes of stack
    memory. The disclosed stack memory is likely to contain the proxy
    password.
    
    If the proxy password is not reused, this is unlikely to compromise
    the security of the OpenVPN tunnel itself.  Clients who do not use
    the --http-proxy option with ntlm2 authentication are not affected.
    
    CVE: 2017-7520
    Signed-off-by: Guido Vranken <guidovranken@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
    URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)

Index: openvpn-2.3.4/src/openvpn/ntlm.c
===================================================================
--- openvpn-2.3.4.orig/src/openvpn/ntlm.c
+++ openvpn-2.3.4/src/openvpn/ntlm.c
@@ -193,7 +193,7 @@ ntlm_phase_3 (const struct http_proxy_in
 	 */
 	
   char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */
-  char buf2[128]; /* decoded reply from proxy */
+  unsigned char buf2[128]; /* decoded reply from proxy */
   unsigned char phase3[464];
 
   char md4_hash[MD4_DIGEST_LENGTH+5];
@@ -282,7 +282,13 @@ ntlm_phase_3 (const struct http_proxy_in
 			tib_len = buf2[0x28];/* Get Target Information block size */
 			if (tib_len > 96) tib_len = 96;
 			{
-			  char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */
+			  char *tib_ptr;
+			  int tib_pos = buf2[0x2c];
+			  if (tib_pos + tib_len > sizeof(buf2))
+			    {
+			      return NULL;
+			    }
+			  tib_ptr = buf2 + tib_pos;			/* Get Target Information block pointer */
 			  memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */
 			}
 		} else {