diff --git a/lib/libsdp/search.c b/lib/libsdp/search.c
index 42f162daf831..20fc7e309a4a 100644
--- a/lib/libsdp/search.c
+++ b/lib/libsdp/search.c
@@ -167,6 +167,7 @@ sdp_search(void *xss,
 
 		if (xpdu.pdu.pid == SDP_PDU_ERROR_RESPONSE ||
 		    xpdu.pdu.tid != ss->tid ||
+		    xpdu.pdu.len > len ||
 		    xpdu.len > xpdu.pdu.len) {
 			ss->error = EIO;
 			return (-1);
diff --git a/usr.sbin/bluetooth/sdpd/sar.c b/usr.sbin/bluetooth/sdpd/sar.c
index 5bf8448619e4..4fc25d92b118 100644
--- a/usr.sbin/bluetooth/sdpd/sar.c
+++ b/usr.sbin/bluetooth/sdpd/sar.c
@@ -277,7 +277,7 @@ server_send_service_attribute_response(server_p srv, int32_t fd)
 
 	assert(rsp_end >= rsp);
 
-	bcount = htons(rsp_end - rsp);
+	bcount = rsp_end - rsp;
 
 	if (((sdp_pdu_p)(srv->req))->pid == SDP_PDU_SERVICE_ATTRIBUTE_REQUEST)
 		pdu.pid = SDP_PDU_SERVICE_ATTRIBUTE_RESPONSE;
@@ -287,6 +287,8 @@ server_send_service_attribute_response(server_p srv, int32_t fd)
 	pdu.tid = ((sdp_pdu_p)(srv->req))->tid;
 	pdu.len = htons(sizeof(bcount) + bcount + 1 + cs[0]);
 
+	bcount = htons(bcount);
+
 	iov[0].iov_base = &pdu;
 	iov[0].iov_len = sizeof(pdu);