2 files changed, 5 insertions, 2 deletions

diff --git a/asn1/ldap/packet-ldap-template.c b/asn1/ldap/packet-ldap-template.c
index b3536f03a1..2bd70b7e3c 100644
--- a/asn1/ldap/packet-ldap-template.c
+++ b/asn1/ldap/packet-ldap-template.c
@@ -1383,10 +1383,11 @@ dissect_ldap_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	 */
 	/* check for a SASL header, i.e. assume it is SASL if 
 	 * 1, first four bytes (SASL length) is an integer 
-	 *    with a value that must be <64k and >2
+	 *    with a value that must be <LDAP_SASL_MAX_BUF and >2
 	 *    (>2 to fight false positives, 0x00000000 is a common
 	 *        "random" tcp payload)
-	 * (no SASL ldap PDUs are ever going to be >64k in size?)
+	 * (SASL ldap PDUs might be >64k in size, which is why 
+	 * LDAP_SASL_MAX_BUF is used - defined in packet-ldap.h)
 	 *
 	 * 2, we must have a conversation and the auth type must
 	 *    be LDAP_AUTH_SASL
diff --git a/asn1/ldap/packet-ldap-template.h b/asn1/ldap/packet-ldap-template.h
index 75850cfbe9..a181b90891 100644
--- a/asn1/ldap/packet-ldap-template.h
+++ b/asn1/ldap/packet-ldap-template.h
@@ -79,6 +79,8 @@
 #define LDAP_MOD_DELETE         1
 #define LDAP_MOD_REPLACE        2
 
+#define LDAP_SASL_MAX_BUF	4*64*1024
+
 typedef struct ldap_call_response {
   gboolean is_request;
   guint32 req_frame;