diff --git a/ChangeLog b/ChangeLog
index 904d009..b7d2643 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,26 @@
 Version 1.6.18
 *******************************************************************************
 
+2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
+
+	Security fix for CERT issue VU#922681
+
+	This patch addresses three possible buffer overflows in function
+	unique_service_name(). The three issues have the folowing CVE numbers:
+
+	CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
+	CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
+	CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
+
+	Notice that the following issues have already been dealt by previous
+	work:
+
+	CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
+	CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
+	CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
+	CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
+	CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
+
 2012-06-19 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
 
 	Fix memory leak and access violation in UpnpSendAction(Ex)Async.
diff --git a/upnp/src/ssdp/ssdp_server.c b/upnp/src/ssdp/ssdp_server.c
index 231c2c5..8a57d08 100644
--- a/upnp/src/ssdp/ssdp_server.c
+++ b/upnp/src/ssdp/ssdp_server.c
@@ -467,16 +467,16 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
 		else
 			return -1;
 		if (ptr3 != NULL) {
-			if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof(Evt->UDN))
+			if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
 				return -1;
-			snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s",
-				ptr3 + 1);
+			snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
 		}
 		else
 			return -1;
 		ptr1 = strstr(cmd, ":");
 		if (ptr1 != NULL) {
 			n = (size_t)ptr3 - (size_t)ptr1;
+			n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
 			strncpy(TempBuf, ptr1, n);
 			TempBuf[n] = '\0';
 			if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
@@ -490,27 +490,28 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
 	if ((TempPtr = strstr(cmd, "uuid")) != NULL) {
 		if ((Ptr = strstr(cmd, "::")) != NULL) {
 			n = (size_t)Ptr - (size_t)TempPtr;
+			n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
 			strncpy(Evt->UDN, TempPtr, n);
 			Evt->UDN[n] = '\0';
 		} else {
 			memset(Evt->UDN, 0, sizeof(Evt->UDN));
-			strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1);
+			strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
 		}
 		CommandFound = 1;
 	}
 	if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
 		if ((TempPtr = strstr(cmd, "urn")) != NULL) {
-			memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType));
+			memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
 			strncpy(Evt->ServiceType, TempPtr,
-				sizeof(Evt->ServiceType) - 1);
+				sizeof Evt->ServiceType - 1);
 			CommandFound = 1;
 		}
 	}
 	if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
 		if ((TempPtr = strstr(cmd, "urn")) != NULL) {
-			memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
+			memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
 			strncpy(Evt->DeviceType, TempPtr,
-				sizeof(Evt->DeviceType) - 1);
+				sizeof Evt->DeviceType - 1);
 			CommandFound = 1;
 		}
 	}
@@ -518,6 +519,7 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
 		/* Everything before "::upnp::rootdevice" is the UDN. */
 		if (TempPtr != cmd) {
 			n = (size_t)TempPtr - (size_t)cmd;
+			n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
 			strncpy(Evt->UDN, cmd, n);
 			Evt->UDN[n] = 0;
 			CommandFound = 1;