diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
index 0f0d842570..3d2008808b 100644
--- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
@@ -24,13 +24,26 @@ refine connection NTLM_Conn += {
 		return result;
 		%}
 
-	function build_av_record(val: NTLM_AV_Pair_Sequence): BroVal
+	function build_av_record(val: NTLM_AV_Pair_Sequence, len: uint16): BroVal
 		%{
 		RecordVal* result = new RecordVal(BifType::Record::NTLM::AVs);
-		for ( uint i = 0; ${val.pairs[i].id} != 0; i++ )
+		for ( uint i = 0; ; i++ )
 			{
+			if ( i >= ${val.pairs}->size() )
+				{
+				if ( len != 0 )
+					// According to spec, the TargetInfo MUST be a sequence of
+					// AV_PAIRs and terminated by the null AV_PAIR when the
+					// TargetInfoLen is non-zero, so this is in violation.
+					bro_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow");
+
+				return result;
+				}
+
 			switch ( ${val.pairs[i].id} )
 				{
+				case 0:
+					return result;
 				case 1:
 					result->Assign(0, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
 					break;
@@ -131,7 +144,7 @@ refine connection NTLM_Conn += {
 			result->Assign(2, build_version_record(${val.version}));
 
 		if ( ${val}->has_target_info() )
-			result->Assign(3, build_av_record(${val.target_info}));
+			result->Assign(3, build_av_record(${val.target_info},  ${val.target_info_fields.length}));
 
 		BifEvent::generate_ntlm_challenge(bro_analyzer(),
 		                                  bro_analyzer()->Conn(),
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/dpd.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/dpd.log
new file mode 100644
index 0000000000..e0ac743b18
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/dpd.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open	2019-08-26-17-26-38
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+1056991898.901892	CHhAvVGS1DHFjwGM9	192.168.0.173	1068	192.168.0.2	4997	tcp	NTLM	NTLM AV Pair loop underflow
+#close	2019-08-26-17-26-38
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/ntlm.log
new file mode 100644
index 0000000000..4af05b67d0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/ntlm.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntlm
+#open	2019-08-26-17-26-38
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	server_nb_computer_name	server_dns_computer_name	server_tree_name	success
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool
+1056991898.900518	CHhAvVGS1DHFjwGM9	192.168.0.173	1068	192.168.0.2	4997	-	-	-	-	-	-	-
+#close	2019-08-26-17-26-38
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/dpd.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/dpd.log
new file mode 100644
index 0000000000..206c49fb8f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/dpd.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open	2019-08-26-17-26-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+1056991898.901892	CHhAvVGS1DHFjwGM9	192.168.0.173	1068	192.168.0.2	4997	tcp	NTLM	NTLM AV Pair loop underflow
+#close	2019-08-26-17-26-39
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/ntlm.log
new file mode 100644
index 0000000000..7626e6f0ea
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/ntlm.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntlm
+#open	2019-08-26-17-26-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	server_nb_computer_name	server_dns_computer_name	server_tree_name	success
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool
+1056991898.900518	CHhAvVGS1DHFjwGM9	192.168.0.173	1068	192.168.0.2	4997	-	-	-	SATURN	-	-	-
+#close	2019-08-26-17-26-39
diff --git a/testing/btest/Traces/dce-rpc/ntlm-empty-av-sequence.pcap b/testing/btest/Traces/dce-rpc/ntlm-empty-av-sequence.pcap
new file mode 100644
index 0000000000..2d7e7631f9
Binary files /dev/null and b/testing/btest/Traces/dce-rpc/ntlm-empty-av-sequence.pcap differ
diff --git a/testing/btest/Traces/dce-rpc/ntlm-unterminated-av-sequence.pcap b/testing/btest/Traces/dce-rpc/ntlm-unterminated-av-sequence.pcap
new file mode 100644
index 0000000000..55a9819f3c
Binary files /dev/null and b/testing/btest/Traces/dce-rpc/ntlm-unterminated-av-sequence.pcap differ
diff --git a/testing/btest/scripts/base/protocols/dce-rpc/ntlm-empty-av-pair-seq.zeek b/testing/btest/scripts/base/protocols/dce-rpc/ntlm-empty-av-pair-seq.zeek
new file mode 100644
index 0000000000..b2209323eb
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/ntlm-empty-av-pair-seq.zeek
@@ -0,0 +1,8 @@
+# Tests for good parsing/handling of empty NTLM AV Pair sequences.
+
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/ntlm-empty-av-sequence.pcap %INPUT
+# @TEST-EXEC: btest-diff ntlm.log
+# @TEST-EXEC: btest-diff dpd.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm
diff --git a/testing/btest/scripts/base/protocols/dce-rpc/ntlm-unterminated-av-pair-seq.zeek b/testing/btest/scripts/base/protocols/dce-rpc/ntlm-unterminated-av-pair-seq.zeek
new file mode 100644
index 0000000000..1e14479b6e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/ntlm-unterminated-av-pair-seq.zeek
@@ -0,0 +1,8 @@
+# Tests for good parsing/handling of unterminated NTLM AV Pair sequences.
+
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/ntlm-unterminated-av-sequence.pcap %INPUT
+# @TEST-EXEC: btest-diff ntlm.log
+# @TEST-EXEC: btest-diff dpd.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm