From 20a87f0335a251b321aeb43b41fcd9beaec302c0 Mon Sep 17 00:00:00 2001
From: Brian Dwyer <Brian.Dwyer@broadridge.com>
Date: Sat, 18 Apr 2020 13:43:34 -0400
Subject: [PATCH] Address out of bounds panic on Proxy-Authenticate header

Signed-off-by: Brian Dwyer <Brian.Dwyer@broadridge.com>
---
 ntlm_windows.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ntlm_windows.go b/ntlm_windows.go
index fe59578..7d1436b 100644
--- a/ntlm_windows.go
+++ b/ntlm_windows.go
@@ -10,6 +10,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/alexbrainman/sspi"
 	"github.com/alexbrainman/sspi/ntlm"
@@ -70,7 +71,18 @@ func dialNTLM(p Proxy, addr string, baseDial func() (net.Conn, error)) (net.Conn
 		return conn, errors.New("Unexpected HTTP status code")
 	}
 
-	challenge, err := base64.StdEncoding.DecodeString(resp.Header["Proxy-Authenticate"][0][5:])
+	challengeHeaders, found := resp.Header["Proxy-Authenticate"]
+	if !found {
+		return conn, errors.New("did not receive a challenge from the server")
+	}
+	if len(challengeHeaders) != 1 {
+		return conn, errors.New("received malformed challenge from the server")
+	}
+	if len(challengeHeaders[0]) < 6 || !strings.HasPrefix(challengeHeaders[0], "NTLM ") {
+		return conn, errors.New("received malformed challenge from the server")
+	}
+
+	challenge, err := base64.StdEncoding.DecodeString(challengeHeaders[0][5:])
 	if err != nil {
 		debugf("ntlm> Could not read challenge response")
 		return conn, err