hipercontracer: don't consume LDAP/SASL/KRB_TOKEN_CFX_WRAP messages

See the capture in #9398 for an example.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

epan/dissectors/packet-hipercontracer.c

@@ -61,16 +61,43 @@ heur_dissect_hipercontracer(tvbuff_t *message_tvb, packet_info *pinfo, proto_tre
   if (length < 16)
     return FALSE;
 
+  const guint32 magic = tvb_get_ntohl(message_tvb, 0);
+
   // Send TTL cannot be < 1
   const guint8 sendTTL = tvb_get_guint8(message_tvb, 4);
   if (sendTTL < 1)
     return FALSE;
 
+  const guint8 round = tvb_get_guint8(message_tvb, 5);
+
+  const guint16 checksumTweak = tvb_get_ntohs(message_tvb, 6);
+
+  guint64 sendTimeStamp = tvb_get_ntoh64(message_tvb, 8);
+
+  /*
+   * Don't dissect a SASL ldap message, which starts with the
+   * first 12 bytes like this:
+   *
+   * Length: 00000091 (very, very unlikely larger than 24bits).
+   * Magic:  0504 (KRB_TOKEN_CFX_WRAP)
+   * Flags:  04  (0x01, 0x02, 0x04 are defined)
+   * Filler: ff
+   * EC:     000c
+   * RRC:    0000 or 000c
+   */
+  if ((magic & 0xff000000) == 0 &&
+      (magic & 0x00ffffff) != 0 &&
+      sendTTL == 0x05 &&
+      round == 0x04 &&
+      (checksumTweak & 0xf8ff) == 0x00ff &&
+      (sendTimeStamp & G_GUINT64_CONSTANT(0xff00ff0000000000)) == 0)
+    return FALSE;
+
   // Check for plausible send time stamp:
   // * After:  01.01.2016 00:00:00.000000
   // * Before: 31.12.2099 23:59.59.999999
   // Time stamp is microseconds since 29.09.1976 00:00:00.000000.
-  const guint64 sendTimeStamp = tvb_get_ntoh64(message_tvb, 8) + G_GUINT64_CONSTANT(212803200000000);
+  sendTimeStamp += G_GUINT64_CONSTANT(212803200000000);
   if ( (sendTimeStamp < G_GUINT64_CONSTANT(1451602800000000)) ||
        (sendTimeStamp > G_GUINT64_CONSTANT(4102441199999999)) )
     return FALSE;