--- bootp-2.4.3/bootpd.c.old	Wed May 13 11:31:49 1998
+++ bootp-2.4.3/bootpd.c	Wed May 13 11:34:07 1998
@@ -662,6 +662,7 @@
 	char *clntpath;
 	char *homedir, *bootfile;
 	int n;
+	int lpos;
 
 	/* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */
 
@@ -859,13 +860,20 @@
 	 * The "real" path is as seen by the BOOTP daemon on this
 	 * machine, while the client path is relative to the TFTP
 	 * daemon chroot directory (i.e. /tftpboot).
+	 *
+	 * The bootfile might not be properly zero terminated. We
+	 * need to play safe - AC
 	 */
 	if (hp->flags.tftpdir) {
+		lpos=strlen(hp->tftpdir->string);
+		if(lpos>=sizeof(realpath)-1)
+			return;
 		strcpy(realpath, hp->tftpdir->string);
-		clntpath = &realpath[strlen(realpath)];
+		clntpath = &realpath[lpos];
 	} else {
 		realpath[0] = '\0';
 		clntpath = realpath;
+		lpos=0;
 	}
 
 	/*
@@ -906,12 +914,18 @@
 	if (homedir) {
 		if (homedir[0] != '/')
 			strcat(clntpath, "/");
+		lpos+=strlen(homedir);
+		if(lpos>=sizeof(realpath))
+			return;
 		strcat(clntpath, homedir);
 		homedir = NULL;
 	}
 	if (bootfile) {
 		if (bootfile[0] != '/')
 			strcat(clntpath, "/");
+		lpos+=strlen(bootfile);
+		if(lpos>=sizeof(realpath))
+			return;
 		strcat(clntpath, bootfile);
 		bootfile = NULL;
 	}
@@ -920,8 +934,15 @@
 	 * First try to find the file with a ".host" suffix
 	 */
 	n = strlen(clntpath);
-	strcat(clntpath, ".");
-	strcat(clntpath, hp->hostname->string);
+	
+	/*
+	 *	Don't test if it wont fit.
+	 */
+	if(n+1+strlen(hp->hostname->string)<sizeof(realpath))
+	{
+		strcat(clntpath, ".");
+		strcat(clntpath, hp->hostname->string);
+	}
 	if (chk_access(realpath, &bootsize) < 0) {
 		clntpath[n] = 0;			/* Try it without the suffix */
 		if (chk_access(realpath, &bootsize) < 0) {