From bdf57ad7808ee446d7f03a42fac4554fcaca8c16 Mon Sep 17 00:00:00 2001
From: "andre@comet" <117835572+andre-comet@users.noreply.github.com>
Date: Tue, 29 Nov 2022 11:07:46 +0100
Subject: [PATCH] check for invalid mailbox header length

---
 soem/ethercatcoe.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/soem/ethercatcoe.c b/soem/ethercatcoe.c
index 3f29e1f1..d21bd79a 100644
--- a/soem/ethercatcoe.c
+++ b/soem/ethercatcoe.c
@@ -238,7 +238,8 @@ int ecx_SDOread(ecx_contextt *context, uint16 slave, uint16 index, uint8 subinde
                               /* slave response should be CoE, SDO response */
                               if ((((aSDOp->MbxHeader.mbxtype & 0x0f) == ECT_MBXT_COE) &&
                                    ((etohs(aSDOp->CANOpen) >> 12) == ECT_COES_SDORES) &&
-                                   ((aSDOp->Command & 0xe0) == 0x00)))
+                                   ((aSDOp->Command & 0xe0) == 0x00) &&
+                                   (etohs(aSDOp->MbxHeader.length) >= 3)))
                                         {
                                  /* calculate mailbox transfer size */
                                  Framedatasize = etohs(aSDOp->MbxHeader.length) - 3;