not all SASL protected blobs use a GSS wrapper for the payload so we

cant check that the payload starts with BER tag 0x60 and an oid.
instead  check that the length byte (first 4 bytes) look sane and if 
SASL authentication has been negotiated on the connection

also, sometimes clients will mix both non-SASL and SASL protected LDAP 
traffic on the same tcp connection   by initially performing simple 
unauthenticated searches on the database before performing the Bind.



svn path=/trunk/; revision=22948

1 files changed, 21 insertions, 18 deletions

diff --git a/asn1/ldap/packet-ldap-template.c b/asn1/ldap/packet-ldap-template.c
index c5ccac317c..c3d8227128 100644
--- a/asn1/ldap/packet-ldap-template.c
+++ b/asn1/ldap/packet-ldap-template.c
@@ -1331,12 +1331,28 @@ dissect_ldap_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	guint32 ldap_len;
 	int offset;
 	gboolean ind;
+        conversation_t *conversation;
+	ldap_conv_info_t *ldap_info = NULL;
+ 
+	/*
+	 * Do we have a conversation for this connection?
+	 */
+	conversation = find_conversation(pinfo->fd->num, 
+				&pinfo->src, &pinfo->dst,
+				pinfo->ptype, pinfo->srcport,
+				pinfo->destport, 0);
+	if(conversation){
+		ldap_info = conversation_get_proto_data(conversation, proto_ldap);
+	}
 
         ldm_tree = NULL;
 
 	/* This is a bit tricky. We have to find out whether SASL is used
 	 * so that we know how big a header we are supposed to pass
 	 * to tcp_dissect_pdus()
+	 * We must also cope with the case when a client connects to LDAP
+	 * and performs a few unauthenticated searches of LDAP before
+	 * it performs the bind on the same tcp connection.
 	 */
 	/* check for a SASL header, i.e. assume it is SASL if 
 	 * 1, first four bytes (SASL length) is an integer 
@@ -1345,16 +1361,8 @@ dissect_ldap_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	 *        "random" tcp payload)
 	 * (no SASL ldap PDUs are ever going to be >64k in size?)
 	 *
-	 * Following the SASL header is a GSSAPI blob so the next byte
-	 * is always 0x60. (only true for MS SASL LDAP, there are other
-	 * blobs that may follow in real-world)
-	 *
-	 * 2, Then one byte with the value 0x60 indicating the GSSAPI blob
-	 *
-	 * 3, Then X bytes describing the BER encoded lengtyh of the blob.
-	 *    This length should point to the same end-of-pdu as 1,
-	 *
-	 * 4, finally a byte 0x06 indicating that the next object is an OID
+	 * 2, we must have a conversation and the auth type must
+	 *    be LDAP_AUTH_SASL
 	 */
 	sasl_len=tvb_get_ntohl(tvb, 0);
  
@@ -1362,21 +1370,16 @@ dissect_ldap_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 		goto this_was_not_sasl;
 	}
 
-	if(tvb_get_guint8(tvb, 4)!=0x60){
+	if( sasl_len>65535 ){
 		goto this_was_not_sasl;
 	}
 		
-	offset=get_ber_length(tvb, 5, &gss_len, &ind);
-	if(sasl_len!=(gss_len+offset-4)){
-		goto this_was_not_sasl;
-	}
-
-	if(tvb_get_guint8(tvb, offset)!=0x06){
+	if((!ldap_info) || (ldap_info->auth_type!=LDAP_AUTH_SASL) ){
 		goto this_was_not_sasl;
 	}
 
 	tcp_dissect_pdus(tvb, pinfo, tree, ldap_desegment, 4, get_sasl_ldap_pdu_len, dissect_sasl_ldap_pdu);
-
+	return;
 
 this_was_not_sasl:
 	/* check if it is a normal BER encoded LDAP packet