Don't throw away bootp reply packets that are shorter than our extended-length

bootp query packet.
PR:		5512

2 files changed, 6 insertions, 2 deletions

diff --git a/sys/i386/boot/netboot/main.c b/sys/i386/boot/netboot/main.c
index 9a9f057..7ffb5d0 100644
--- a/sys/i386/boot/netboot/main.c
+++ b/sys/i386/boot/netboot/main.c
@@ -559,7 +559,9 @@ await_reply(type, ival, ptr)
 			bootpreply = (struct bootp_t *)&packet[ETHER_HDR_LEN];
 			if ((type == AWAIT_BOOTP) &&
 			   (packetlen >= (ETHER_HDR_LEN +
-			     sizeof(struct bootp_t))) &&
+					  sizeof(struct iphdr) +
+					  sizeof(struct udphdr) +
+					  BOOTP_MIN_LEN)) &&
 			   (ntohs(udp->dest) == BOOTP_CLIENT) &&
 			   (bootpreply->bp_op == BOOTP_REPLY)) {
 				convert_ipaddr(&arptable[ARP_CLIENT].ipaddr,
diff --git a/sys/i386/boot/netboot/netboot.h b/sys/i386/boot/netboot/netboot.h
index 0e922b7..37883b4 100644
--- a/sys/i386/boot/netboot/netboot.h
+++ b/sys/i386/boot/netboot/netboot.h
@@ -111,7 +111,9 @@ Author: Martin Renters
 #define RFC1048_SWAP_LEN	129	/* T129 */
 
 #define RFC1048_END		255
-#define BOOTP_VENDOR_LEN	256
+#define BOOTP_VENDOR_LEN	256	/* Extended vendor field */
+
+#define BOOTP_MIN_LEN		300	/* Minimum size of bootp udp packet */
 
 #define TFTP_RRQ	1
 #define TFTP_WRQ	2