From cc913fb4818ab0f1ffdb93ddc0145798964b98ba Mon Sep 17 00:00:00 2001
From: emaste <emaste@FreeBSD.org>
Date: Wed, 19 Dec 2018 18:17:59 +0000
Subject: [PATCH] MFC r342227: bootpd: validate hardware type

Due to insufficient validation of network-provided data it may have been
possible for a malicious actor to craft a bootp packet which could cause
a stack buffer overflow.

admbugs:	850
Reported by:	Reno Robert
Reviewed by:	markj
Approved by:	so
Security:	FreeBSD-SA-18:15.bootpd
Sponsored by:	The FreeBSD Foundation
---
 libexec/bootpd/bootpd.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libexec/bootpd/bootpd.c b/libexec/bootpd/bootpd.c
index fe9cefa3de42..afd5c77d6a99 100644
--- a/libexec/bootpd/bootpd.c
+++ b/libexec/bootpd/bootpd.c
@@ -636,6 +636,10 @@ handle_request()
 	char *homedir, *bootfile;
 	int n;
 
+	if (bp->bp_htype >= hwinfocnt) {
+		report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype);
+		return;
+	}
 	bp->bp_file[sizeof(bp->bp_file)-1] = '\0';
 
 	/* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */