From e75e88c50733e5a17498c902c08d490a7326c623 Mon Sep 17 00:00:00 2001
From: skarg <skarg@1e814d3a-8a88-4260-be86-c0dc25669c1e>
Date: Mon, 8 Dec 2008 20:17:53 +0000
Subject: [PATCH] Corrected buffer overflow problem with the npdu decoder found
 by stress testing the stack.  Thank you Cameron!

---
 bacnet-stack/src/npdu.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/bacnet-stack/src/npdu.c b/bacnet-stack/src/npdu.c
index 7eae520a..276191df 100644
--- a/bacnet-stack/src/npdu.c
+++ b/bacnet-stack/src/npdu.c
@@ -297,6 +297,11 @@ int npdu_decode(
                 dest->len = address_len;
             }
             if (address_len) {
+                if ( address_len > MAX_MAC_LEN ) {
+                    /* address is too large could be a malformed message */
+                    return -1;
+                }
+
                 for (i = 0; i < address_len; i++) {
                     mac_octet = npdu[len++];
                     if (dest)
@@ -327,6 +332,11 @@ int npdu_decode(
                 src->len = address_len;
             }
             if (address_len) {
+                if ( address_len > MAX_MAC_LEN ) {
+                    /* address is too large could be a malformed message */
+                    return -1;
+                }
+
                 for (i = 0; i < address_len; i++) {
                     mac_octet = npdu[len++];
                     if (src)