If we encounter an excessively long filter string or one with too many

elements, add an expert item and throw a ReportedBoundsError. We may
want to handle this more cleanly in the future but this avoids
allocating a huge amount of memory.

svn path=/trunk/; revision=36101

2 files changed, 17 insertions, 0 deletions

diff --git a/asn1/ldap/ldap.cnf b/asn1/ldap/ldap.cnf
index 7d7e45788c..e11aefe7c3 100644
--- a/asn1/ldap/ldap.cnf
+++ b/asn1/ldap/ldap.cnf
@@ -678,6 +678,16 @@ offset = dissect_ber_boolean(implicit_tag, actx, tree, tvb, offset, hf_index, &v
 	proto_item *it=NULL;
 	attributedesc_string=NULL;
 
+	if (Filter_length++ > MAX_FILTER_LEN) {
+		expert_add_info_format(actx->pinfo, tree, PI_UNDECODED, PI_ERROR, "Filter length exceeds %%u. Giving up.", MAX_FILTER_LEN);
+		THROW(ReportedBoundsError);
+	}
+
+	if (Filter_elements++ > MAX_FILTER_ELEMENTS) {
+		expert_add_info_format(actx->pinfo, tree, PI_UNDECODED, PI_ERROR, "Found more than %%u filter elements. Giving up.", MAX_FILTER_ELEMENTS);
+		THROW(ReportedBoundsError);
+	}
+
 	if(tree){
 		it=proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset), "Filter: ");
 		tr=proto_item_add_subtree(it, ett_ldap_Filter);
diff --git a/asn1/ldap/packet-ldap-template.c b/asn1/ldap/packet-ldap-template.c
index 5e4d7797b2..74dffda805 100644
--- a/asn1/ldap/packet-ldap-template.c
+++ b/asn1/ldap/packet-ldap-template.c
@@ -103,6 +103,7 @@
 #include <epan/dissectors/packet-windows-common.h>
 #include <epan/dissectors/packet-dcerpc.h>
 #include <epan/asn1.h>
+#include <epan/expert.h>
 
 #include "packet-ldap.h"
 #include "packet-ntlmssp.h"
@@ -576,6 +577,12 @@ static const char *substring_item_final=NULL;
 static const char *matching_rule_string=NULL;
 static gboolean matching_rule_dnattr=FALSE;
 
+#define MAX_FILTER_LEN 4096
+static gint Filter_length;
+
+#define MAX_FILTER_ELEMENTS 200
+static gint Filter_elements;
+
 /* Global variables */
 char *mechanism = NULL;
 static gint MessageID =-1;