1 files changed, 17 insertions, 3 deletions

diff --git a/source4/libcli/ldap/ldap.c b/source4/libcli/ldap/ldap.c
index b281f62ed0..496fec527f 100644
--- a/source4/libcli/ldap/ldap.c
+++ b/source4/libcli/ldap/ldap.c
@@ -219,8 +219,15 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct
 			asn1_push_tag(&data, ASN1_CONTEXT(3));
 			asn1_write_OctetString(&data, r->creds.SASL.mechanism,
 					       strlen(r->creds.SASL.mechanism));
-			asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
-					       r->creds.SASL.secblob.length);
+			/* The value of data indicates if this
+			 * optional element exists at all.  In SASL
+			 * there is a difference between NULL and
+			 * zero-legnth, but our APIs don't express it
+			 * well */
+			if (r->creds.SASL.secblob.data) {
+				asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
+						       r->creds.SASL.secblob.length);
+			}
 			asn1_pop_tag(&data);
 			break;
 		default:
@@ -234,7 +241,14 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct
 		struct ldap_BindResponse *r = &msg->r.BindResponse;
 		asn1_push_tag(&data, ASN1_APPLICATION(msg->type));
 		ldap_encode_response(&data, &r->response);
-		asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+		/* The value of data indicates if this
+		 * optional element exists at all.  In SASL
+		 * there is a difference between NULL and
+		 * zero-legnth, but our APIs don't express it
+		 * well */
+		if (r->SASL.secblob.data) {
+			asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+		}
 		asn1_pop_tag(&data);
 		break;
 	}