process_http_response in OpenConnect before 8.05 has a Buffer Overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes.
CVE-2019-16239 (Candidate) is related to these bugs: