Add extra sanity check for SDP packets in libsdp(3)

Fix yet another endianess bug in sdpd(8)

2 files changed, 4 insertions, 1 deletions

diff --git a/lib/libsdp/search.c b/lib/libsdp/search.c
index 42f162d..20fc7e3 100644
--- a/lib/libsdp/search.c
+++ b/lib/libsdp/search.c
@@ -167,6 +167,7 @@ sdp_search(void *xss,
 
 		if (xpdu.pdu.pid == SDP_PDU_ERROR_RESPONSE ||
 		    xpdu.pdu.tid != ss->tid ||
+		    xpdu.pdu.len > len ||
 		    xpdu.len > xpdu.pdu.len) {
 			ss->error = EIO;
 			return (-1);
diff --git a/usr.sbin/bluetooth/sdpd/sar.c b/usr.sbin/bluetooth/sdpd/sar.c
index 5bf8448..4fc25d9 100644
--- a/usr.sbin/bluetooth/sdpd/sar.c
+++ b/usr.sbin/bluetooth/sdpd/sar.c
@@ -277,7 +277,7 @@ server_send_service_attribute_response(server_p srv, int32_t fd)
 
 	assert(rsp_end >= rsp);
 
-	bcount = htons(rsp_end - rsp);
+	bcount = rsp_end - rsp;
 
 	if (((sdp_pdu_p)(srv->req))->pid == SDP_PDU_SERVICE_ATTRIBUTE_REQUEST)
 		pdu.pid = SDP_PDU_SERVICE_ATTRIBUTE_RESPONSE;
@@ -287,6 +287,8 @@ server_send_service_attribute_response(server_p srv, int32_t fd)
 	pdu.tid = ((sdp_pdu_p)(srv->req))->tid;
 	pdu.len = htons(sizeof(bcount) + bcount + 1 + cs[0]);
 
+	bcount = htons(bcount);
+
 	iov[0].iov_base = &pdu;
 	iov[0].iov_len = sizeof(pdu);