git: 60aa737df9d9 - stable/13 - ipfilter userland: Replace sprintf with range checking version (snprintf)

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Tue, 21 Dec 2021 23:35:24 UTC
The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=60aa737df9d91f1ce1de0093cf5541911258e11e

commit 60aa737df9d91f1ce1de0093cf5541911258e11e
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2021-12-13 22:54:38 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2021-12-21 23:34:40 +0000

    ipfilter userland: Replace sprintf with range checking version (snprintf)
    
    (cherry picked from commit a6fb9bbea7318e993dfe0f8a7f00821f79850b26)
---
 contrib/ipfilter/iplang/iplang_y.y      |   2 +-
 contrib/ipfilter/ipsend/dlcommon.c      |  20 +++---
 contrib/ipfilter/ipsend/sbpf.c          |   2 +-
 contrib/ipfilter/lib/getnattype.c       |   2 +-
 contrib/ipfilter/lib/getsumd.c          |   4 +-
 contrib/ipfilter/lib/interror.c         |   6 +-
 contrib/ipfilter/lib/load_dstlistnode.c |   2 +-
 contrib/ipfilter/lib/load_hashnode.c    |   2 +-
 contrib/ipfilter/lib/load_poolnode.c    |   2 +-
 contrib/ipfilter/lib/parseipfexpr.c     |   2 +-
 contrib/ipfilter/lib/portname.c         |   2 +-
 contrib/ipfilter/tools/ipf_y.y          |   8 +--
 contrib/ipfilter/tools/ipfstat.c        |  48 ++++++-------
 contrib/ipfilter/tools/ipfsyncd.c       |   2 +-
 contrib/ipfilter/tools/ipmon.c          | 124 ++++++++++++++++----------------
 contrib/ipfilter/tools/ipmon_y.y        |   2 +-
 contrib/ipfilter/tools/ipnat_y.y        |  11 +--
 contrib/ipfilter/tools/ippool_y.y       |   6 +-
 contrib/ipfilter/tools/lexer.c          |   2 +-
 19 files changed, 127 insertions(+), 122 deletions(-)

diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y
index f3335636cee1..484fe1951d52 100644
--- a/contrib/ipfilter/iplang/iplang_y.y
+++ b/contrib/ipfilter/iplang/iplang_y.y
@@ -1595,7 +1595,7 @@ void *ptr;
 
 	if (state == IL_IPO_RR || state == IL_IPO_SATID) {
 		if (param)
-			sprintf(numbuf, "%d", *(int *)param);
+			snprintf(numbuf, sizeof(numbuf), "%d", *(int *)param);
 		else
 			strcpy(numbuf, "0");
 		arg = numbuf;
diff --git a/contrib/ipfilter/ipsend/dlcommon.c b/contrib/ipfilter/ipsend/dlcommon.c
index 8a8cbf6a6a94..efb82df9ad32 100644
--- a/contrib/ipfilter/ipsend/dlcommon.c
+++ b/contrib/ipfilter/ipsend/dlcommon.c
@@ -497,7 +497,7 @@ strgetmsg(fd, ctlp, datap, flagsp, caller)
 	 */
 	(void) signal(SIGALRM, sigalrm);
 	if (alarm(MAXWAIT) < 0) {
-		(void) sprintf(errmsg, "%s:  alarm", caller);
+		(void) snprintf(errmsg, sizeof(errmsg), "%s:  alarm", caller);
 		syserr(errmsg);
 	}
 
@@ -506,7 +506,7 @@ strgetmsg(fd, ctlp, datap, flagsp, caller)
 	 */
 	*flagsp = 0;
 	if ((rc = getmsg(fd, ctlp, datap, flagsp)) < 0) {
-		(void) sprintf(errmsg, "%s:  getmsg", caller);
+		(void) snprintf(errmsg, sizeof(errmsg), "%s:  getmsg", caller);
 		syserr(errmsg);
 	}
 
@@ -514,7 +514,7 @@ strgetmsg(fd, ctlp, datap, flagsp, caller)
 	 * Stop timer.
 	 */
 	if (alarm(0) < 0) {
-		(void) sprintf(errmsg, "%s:  alarm", caller);
+		(void) snprintf(errmsg, sizeof(errmsg), "%s:  alarm", caller);
 		syserr(errmsg);
 	}
 
@@ -1188,7 +1188,7 @@ dlprim(prim)
 		CASERET(DL_RESET_RES);
 		CASERET(DL_RESET_CON);
 		default:
-			(void) sprintf(primbuf, "unknown primitive 0x%x", prim);
+			(void) snprintf(primbuf, sizeof(primbuf), "unknown primitive 0x%x", prim);
 			return (primbuf);
 	}
 }
@@ -1223,7 +1223,7 @@ dlstate(state)
 		CASERET(DL_DISCON13_PENDING);
 		CASERET(DL_SUBS_BIND_PND);
 		default:
-			(void) sprintf(statebuf, "unknown state 0x%x", state);
+			(void) snprintf(statebuf, sizeof(statebuf), "unknown state 0x%x", state);
 			return (statebuf);
 	}
 }
@@ -1265,7 +1265,7 @@ dlerrno(errno)
 		CASERET(DL_PENDING);
 
 		default:
-			(void) sprintf(errnobuf, "unknown dlpi errno 0x%x", errno);
+			(void) snprintf(errnobuf, sizeof(errnobuf), "unknown dlpi errno 0x%x", errno);
 			return (errnobuf);
 	}
 }
@@ -1281,7 +1281,7 @@ dlpromisclevel(level)
 		CASERET(DL_PROMISC_SAP);
 		CASERET(DL_PROMISC_MULTI);
 		default:
-			(void) sprintf(levelbuf, "unknown promisc level 0x%x", level);
+			(void) snprintf(levelbuf, sizeof(levelbuf), "unknown promisc level 0x%x", level);
 			return (levelbuf);
 	}
 }
@@ -1297,7 +1297,7 @@ dlservicemode(servicemode)
 		CASERET(DL_CLDLS);
 		CASERET(DL_CODLS|DL_CLDLS);
 		default:
-			(void) sprintf(servicemodebuf,
+			(void) snprintf(servicemodebuf, sizeof(servicemodebuf),
 				"unknown provider service mode 0x%x", servicemode);
 			return (servicemodebuf);
 	}
@@ -1313,7 +1313,7 @@ dlstyle(style)
 		CASERET(DL_STYLE1);
 		CASERET(DL_STYLE2);
 		default:
-			(void) sprintf(stylebuf, "unknown provider style 0x%x", style);
+			(void) snprintf(stylebuf, sizeof(stylebuf), "unknown provider style 0x%x", style);
 			return (stylebuf);
 	}
 }
@@ -1334,7 +1334,7 @@ dlmactype(media)
 		CASERET(DL_CHAR);
 		CASERET(DL_CTCA);
 		default:
-			(void) sprintf(mediabuf, "unknown media type 0x%x", media);
+			(void) snprintf(mediabuf, sizeof(mediabuf), "unknown media type 0x%x", media);
 			return (mediabuf);
 	}
 }
diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c
index f3b8d2f37775..27f239185d37 100644
--- a/contrib/ipfilter/ipsend/sbpf.c
+++ b/contrib/ipfilter/ipsend/sbpf.c
@@ -74,7 +74,7 @@ int	initdevice(device, tout)
 
 	for (i = 0; i < 16; i++)
 	    {
-		(void) sprintf(bpfname, "/dev/bpf%d", i);
+		(void) snprintf(bpfname, sizeof(bpfname), "/dev/bpf%d", i);
 		if ((fd = open(bpfname, O_RDWR)) >= 0)
 			break;
 	    }
diff --git a/contrib/ipfilter/lib/getnattype.c b/contrib/ipfilter/lib/getnattype.c
index ef7ffd47a050..81364738e94a 100644
--- a/contrib/ipfilter/lib/getnattype.c
+++ b/contrib/ipfilter/lib/getnattype.c
@@ -61,7 +61,7 @@ getnattype(nat)
 		which = "ENC-MAP";
 		break;
 	default :
-		sprintf(unknownbuf, "unknown(%04x)",
+		snprintf(unknownbuf, sizeof(unknownbuf), "unknown(%04x)",
 			nat->nat_redir & 0xffffffff);
 		which = unknownbuf;
 		break;
diff --git a/contrib/ipfilter/lib/getsumd.c b/contrib/ipfilter/lib/getsumd.c
index 84acc7a282ed..53869131e694 100644
--- a/contrib/ipfilter/lib/getsumd.c
+++ b/contrib/ipfilter/lib/getsumd.c
@@ -16,8 +16,8 @@ char *getsumd(sum)
 	static char sumdbuf[17];
 
 	if (sum & NAT_HW_CKSUM)
-		sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
+		snprintf(sumdbuf, sizeof(sumdbuf), "hw(%#0x)", sum & 0xffff);
 	else
-		sprintf(sumdbuf, "%#0x", sum);
+		snprintf(sumdbuf, sizeof(sumdbuf), "%#0x", sum);
 	return sumdbuf;
 }
diff --git a/contrib/ipfilter/lib/interror.c b/contrib/ipfilter/lib/interror.c
index 183e465a0ca4..78ae4bf37849 100644
--- a/contrib/ipfilter/lib/interror.c
+++ b/contrib/ipfilter/lib/interror.c
@@ -557,9 +557,9 @@ ipf_geterror(fd, func)
 		ie = find_error(errnum);
 		if (ie != NULL)
 			return ie->iee_text;
-		sprintf(text, "unknown error %d", errnum);
+		snprintf(text, sizeof(text), "unknown error %d", errnum);
 	} else {
-		sprintf(text, "retrieving error number failed (%d)", errno);
+		snprintf(text, sizeof(text), "retrieving error number failed (%d)", errno);
 	}
 	return text;
 }
@@ -577,6 +577,6 @@ ipf_strerror(errnum)
 	if (ie != NULL)
 		return ie->iee_text;
 
-	sprintf(text, "unknown error %d", errnum);
+	snprintf(text, sizeof(text), "unknown error %d", errnum);
 	return text;
 }
diff --git a/contrib/ipfilter/lib/load_dstlistnode.c b/contrib/ipfilter/lib/load_dstlistnode.c
index e1ec0013fae7..d8160ebaea9c 100644
--- a/contrib/ipfilter/lib/load_dstlistnode.c
+++ b/contrib/ipfilter/lib/load_dstlistnode.c
@@ -61,7 +61,7 @@ load_dstlistnode(role, name, node, iocfunc)
 		if ((opts & OPT_DONOTHING) == 0) {
 			char msg[80];
 
-			(void) sprintf(msg, "%s lookup node", what);
+			(void) snprintf(msg, sizeof(msg), "%s lookup node", what);
 			return ipf_perror_fd(pool_fd(), iocfunc, msg);
 		}
 	}
diff --git a/contrib/ipfilter/lib/load_hashnode.c b/contrib/ipfilter/lib/load_hashnode.c
index 2aac4331b41f..203d75484ec3 100644
--- a/contrib/ipfilter/lib/load_hashnode.c
+++ b/contrib/ipfilter/lib/load_hashnode.c
@@ -60,7 +60,7 @@ load_hashnode(unit, name, node, ttl, iocfunc)
 		if (!(opts & OPT_DONOTHING)) {
 			char msg[80];
 
-			sprintf(msg, "%s node from lookup hash table", what);
+			snprintf(msg, sizeof(msg), "%s node from lookup hash table", what);
 			return ipf_perror_fd(pool_fd(), iocfunc, msg);
 		}
 	return 0;
diff --git a/contrib/ipfilter/lib/load_poolnode.c b/contrib/ipfilter/lib/load_poolnode.c
index 5afca8412b08..0dfc1d25a8f7 100644
--- a/contrib/ipfilter/lib/load_poolnode.c
+++ b/contrib/ipfilter/lib/load_poolnode.c
@@ -59,7 +59,7 @@ load_poolnode(role, name, node, ttl, iocfunc)
 		if ((opts & OPT_DONOTHING) == 0) {
 			char msg[80];
 
-			sprintf(msg, "%s pool node(%s/", what,
+			snprintf(msg, sizeof(msg), "%s pool node(%s/", what,
 				inet_ntoa(pn.ipn_addr.adf_addr.in4));
 			strcat(msg, inet_ntoa(pn.ipn_mask.adf_addr.in4));
 			return ipf_perror_fd(pool_fd(), iocfunc, msg);
diff --git a/contrib/ipfilter/lib/parseipfexpr.c b/contrib/ipfilter/lib/parseipfexpr.c
index 18958301b900..b4b00f91bfca 100644
--- a/contrib/ipfilter/lib/parseipfexpr.c
+++ b/contrib/ipfilter/lib/parseipfexpr.c
@@ -97,7 +97,7 @@ parseipfexpr(line, errorptr)
 		if (e->ipoe_word == NULL) {
 			error = malloc(32);
 			if (error != NULL) {
-				sprintf(error, "keyword (%.10s) not found",
+				snprintf(error, sizeof(error), "keyword (%.10s) not found",
 					ops);
 			}
 			goto parseerror;
diff --git a/contrib/ipfilter/lib/portname.c b/contrib/ipfilter/lib/portname.c
index 925eace62532..f567b26fc3fd 100644
--- a/contrib/ipfilter/lib/portname.c
+++ b/contrib/ipfilter/lib/portname.c
@@ -38,6 +38,6 @@ portname(int pr, int port)
 		}
 	}
 
-	(void) sprintf(buf, "%d", port);
+	(void) snprintf(buf, sizeof(buf), "%d", port);
 	return (buf);
 }
diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y
index 3851f34bb693..2013fe5b9452 100644
--- a/contrib/ipfilter/tools/ipf_y.y
+++ b/contrib/ipfilter/tools/ipf_y.y
@@ -2448,7 +2448,7 @@ void *ptr;
 			if ((opts & OPT_DONOTHING) == 0) {
 				char msg[80];
 
-				sprintf(msg, "%d:ioctl(zero rule)",
+				snprintf(msg, sizeof(msg), "%d:ioctl(zero rule)",
 					fr->fr_flineno);
 				return ipf_perror_fd(fd, ioctlfunc, msg);
 			}
@@ -2468,7 +2468,7 @@ void *ptr;
 			if ((opts & OPT_DONOTHING) == 0) {
 				char msg[80];
 
-				sprintf(msg, "%d:ioctl(delete rule)",
+				snprintf(msg, sizeof(msg), "%d:ioctl(delete rule)",
 					fr->fr_flineno);
 				return ipf_perror_fd(fd, ioctlfunc, msg);
 			}
@@ -2478,7 +2478,7 @@ void *ptr;
 			if ((opts & OPT_DONOTHING) == 0) {
 				char msg[80];
 
-				sprintf(msg, "%d:ioctl(add/insert rule)",
+				snprintf(msg, sizeof(msg), "%d:ioctl(add/insert rule)",
 					fr->fr_flineno);
 				return ipf_perror_fd(fd, ioctlfunc, msg);
 			}
@@ -2572,7 +2572,7 @@ int value;
 	strncpy(buffer, varname, 60);
 	buffer[59] = '\0';
 	strcat(buffer, "=");
-	sprintf(buffer, "%u", value);
+	snprintf(buffer, sizeof(buffer), "%u", value);
 	ipf_dotuning(ipffd, buffer, ioctl);
 }
 
diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c
index 2165a671a9e9..4517d3e857b4 100644
--- a/contrib/ipfilter/tools/ipfstat.c
+++ b/contrib/ipfilter/tools/ipfstat.c
@@ -1531,7 +1531,7 @@ static void topipstates(saddr, daddr, sport, dport, protocol, ver,
 		attron(A_BOLD);
 		winy = 0;
 		move(winy,0);
-		sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
+		snprintf(str1, sizeof(str1), "%s - %s - state top", hostnm, IPL_VERSION);
 		for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
 			printw(" ");
 		printw("%s", str1);
@@ -1549,50 +1549,50 @@ static void topipstates(saddr, daddr, sport, dport, protocol, ver,
 		 * while the programming is running :-)
 		 */
 		if (sport >= 0)
-			sprintf(str1, "%s,%d", getip(ver, &saddr), sport);
+			snprintf(str1, sizeof(str1), "%s,%d", getip(ver, &saddr), sport);
 		else
-			sprintf(str1, "%s", getip(ver, &saddr));
+			snprintf(str1, sizeof(str1), "%s", getip(ver, &saddr));
 
 		if (dport >= 0)
-			sprintf(str2, "%s,%d", getip(ver, &daddr), dport);
+			snprintf(str2, sizeof(str2), "%s,%d", getip(ver, &daddr), dport);
 		else
-			sprintf(str2, "%s", getip(ver, &daddr));
+			snprintf(str2, sizeof(str2), "%s", getip(ver, &daddr));
 
 		if (protocol < 0)
 			strcpy(str3, "any");
 		else if ((proto = getprotobynumber(protocol)) != NULL)
-			sprintf(str3, "%s", proto->p_name);
+			snprintf(str3, sizeof(str3), "%s", proto->p_name);
 		else
-			sprintf(str3, "%d", protocol);
+			snprintf(str3, sizeof(str3), "%d", protocol);
 
 		switch (sorting)
 		{
 		case STSORT_PR:
-			sprintf(str4, "proto");
+			snprintf(str4, sizeof(str4), "proto");
 			break;
 		case STSORT_PKTS:
-			sprintf(str4, "# pkts");
+			snprintf(str4, sizeof(str4), "# pkts");
 			break;
 		case STSORT_BYTES:
-			sprintf(str4, "# bytes");
+			snprintf(str4, sizeof(str4), "# bytes");
 			break;
 		case STSORT_TTL:
-			sprintf(str4, "ttl");
+			snprintf(str4, sizeof(str4), "ttl");
 			break;
 		case STSORT_SRCIP:
-			sprintf(str4, "src ip");
+			snprintf(str4, sizeof(str4), "src ip");
 			break;
 		case STSORT_SRCPT:
-			sprintf(str4, "src port");
+			snprintf(str4, sizeof(str4), "src port");
 			break;
 		case STSORT_DSTIP:
-			sprintf(str4, "dest ip");
+			snprintf(str4, sizeof(str4), "dest ip");
 			break;
 		case STSORT_DSTPT:
-			sprintf(str4, "dest port");
+			snprintf(str4, sizeof(str4), "dest port");
 			break;
 		default:
-			sprintf(str4, "unknown");
+			snprintf(str4, sizeof(str4), "unknown");
 			break;
 		}
 
@@ -1639,16 +1639,16 @@ static void topipstates(saddr, daddr, sport, dport, protocol, ver,
 			/* print src/dest and port */
 			if ((tp->st_p == IPPROTO_TCP) ||
 			    (tp->st_p == IPPROTO_UDP)) {
-				sprintf(str1, "%s,%hu",
+				snprintf(str1, sizeof(str1), "%s,%hu",
 					getip(tp->st_v, &tp->st_src),
 					ntohs(tp->st_sport));
-				sprintf(str2, "%s,%hu",
+				snprintf(str2, sizeof(str2), "%s,%hu",
 					getip(tp->st_v, &tp->st_dst),
 					ntohs(tp->st_dport));
 			} else {
-				sprintf(str1, "%s", getip(tp->st_v,
+				snprintf(str1, sizeof(str1), "%s", getip(tp->st_v,
 				    &tp->st_src));
-				sprintf(str2, "%s", getip(tp->st_v,
+				snprintf(str2, sizeof(str2), "%s", getip(tp->st_v,
 				    &tp->st_dst));
 			}
 			winy++;
@@ -1656,7 +1656,7 @@ static void topipstates(saddr, daddr, sport, dport, protocol, ver,
 			printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2);
 
 			/* print state */
-			sprintf(str1, "%X/%X", tp->st_state[0],
+			snprintf(str1, sizeof(str1), "%X/%X", tp->st_state[0],
 				tp->st_state[1]);
 			printw(" %3s", str1);
 
@@ -1666,7 +1666,7 @@ static void topipstates(saddr, daddr, sport, dport, protocol, ver,
 				strncpy(str1, proto->p_name, 4);
 				str1[4] = '\0';
 			} else {
-				sprintf(str1, "%d", tp->st_p);
+				snprintf(str1, sizeof(str1), "%d", tp->st_p);
 			}
 			/* just print icmp for IPv6-ICMP */
 			if (tp->st_p == IPPROTO_ICMPV6)
@@ -2015,9 +2015,9 @@ static char *ttl_to_string(ttl)
 	seconds = ttl % 60;
 
 	if (hours > 0)
-		sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
+		snprintf(ttlbuf, sizeof(ttlbuf), "%2d:%02d:%02d", hours, minutes, seconds);
 	else
-		sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
+		snprintf(ttlbuf, sizeof(ttlbuf), "%2d:%02d", minutes, seconds);
 	return ttlbuf;
 }
 
diff --git a/contrib/ipfilter/tools/ipfsyncd.c b/contrib/ipfilter/tools/ipfsyncd.c
index a75075059763..ead92b70371c 100644
--- a/contrib/ipfilter/tools/ipfsyncd.c
+++ b/contrib/ipfilter/tools/ipfsyncd.c
@@ -385,7 +385,7 @@ buildsocket(nicname, sinp)
 			       (char *)&mreq, sizeof(mreq)) == -1) {
 			char buffer[80];
 
-			sprintf(buffer, "%s,", inet_ntoa(sinp->sin_addr));
+			snprintf(buffer, sizeof(buffer), "%s,", inet_ntoa(sinp->sin_addr));
 			strcat(buffer, inet_ntoa(reqip->sin_addr));
 
 			syslog(LOG_ERR,
diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c
index 9022f12b6149..28586537da5b 100644
--- a/contrib/ipfilter/tools/ipmon.c
+++ b/contrib/ipfilter/tools/ipmon.c
@@ -447,7 +447,7 @@ static char *getlocalproto(p)
 	p &= 0xff;
 	s = protocols ? protocols[p] : NULL;
 	if (s == NULL) {
-		sprintf(pnum, "%u", p);
+		snprintf(pnum, sizeof(pnum), "%u", p);
 		s = pnum;
 	}
 	return s;
@@ -483,7 +483,7 @@ char *portlocalname(res, proto, port)
 
 	port = ntohs(port);
 	port &= 0xffff;
-	sprintf(pname, "%u", port);
+	snprintf(pname, sizeof(pname), "%u", port);
 	if (!res || (ipmonopts & IPMON_PORTNUM))
 		return pname;
 	s = NULL;
@@ -512,9 +512,9 @@ static char *icmpname(type, code)
 		s = it->it_name;
 
 	if (s == NULL)
-		sprintf(name, "icmptype(%d)/", type);
+		snprintf(name, sizeof(name), "icmptype(%d)/", type);
 	else
-		sprintf(name, "%s/", s);
+		snprintf(name, sizeof(name), "%s/", s);
 
 	ist = NULL;
 	if (it != NULL && it->it_subtable != NULL)
@@ -522,8 +522,10 @@ static char *icmpname(type, code)
 
 	if (ist != NULL && ist->ist_name != NULL)
 		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
+	else {
+		int strlen_name = strlen(name);
+		snprintf(name + strlen_name, sizeof(name) - strlen_name, "%d", code);
+	}
 
 	return name;
 }
@@ -543,9 +545,9 @@ static char *icmpname6(type, code)
 		s = it->it_name;
 
 	if (s == NULL)
-		sprintf(name, "icmpv6type(%d)/", type);
+		snprintf(name, sizeof(name), "icmpv6type(%d)/", type);
 	else
-		sprintf(name, "%s/", s);
+		snprintf(name, sizeof(name), "%s/", s);
 
 	ist = NULL;
 	if (it != NULL && it->it_subtable != NULL)
@@ -553,8 +555,10 @@ static char *icmpname6(type, code)
 
 	if (ist != NULL && ist->ist_name != NULL)
 		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
+	else {
+		int strlen_name = strlen(name);
+		snprintf(name + strlen_name, sizeof(name) - strlen_name, "%d", code);
+	}
 
 	return name;
 }
@@ -680,7 +684,7 @@ static void print_natlog(conf, buf, blen)
 	}
 	(void) strftime(t, len, "%T", tm);
 	t += strlen(t);
-	sprintf(t, ".%-.6ld @%hd ", (long)ipl->ipl_usec, nl->nl_rule + 1);
+	snprintf(t, sizeof(t), ".%-.6ld @%hd ", (long)ipl->ipl_usec, nl->nl_rule + 1);
 	t += strlen(t);
 
 	switch (nl->nl_action)
@@ -710,7 +714,7 @@ static void print_natlog(conf, buf, blen)
 		break;
 
 	default :
-		sprintf(t, "NAT:Action(%d)", nl->nl_action);
+		snprintf(t, sizeof(t), "NAT:Action(%d)", nl->nl_action);
 		break;
 	}
 	t += strlen(t);
@@ -763,7 +767,7 @@ static void print_natlog(conf, buf, blen)
 		break;
 
 	default :
-		sprintf(t, "-Type(%d) ", nl->nl_type);
+		snprintf(t, sizeof(t), "-Type(%d) ", nl->nl_type);
 		break;
 	}
 	t += strlen(t);
@@ -773,25 +777,25 @@ static void print_natlog(conf, buf, blen)
 	family = vtof(nl->nl_v[0]);
 
 	if (simple == 1) {
-		sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_osrcip.i6),
+		snprintf(t, sizeof(t), "%s,%s <- -> ", hostname(family, nl->nl_osrcip.i6),
 			portlocalname(res, proto, (u_int)nl->nl_osrcport));
 		t += strlen(t);
-		sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
+		snprintf(t, sizeof(t), "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
 			portlocalname(res, proto, (u_int)nl->nl_nsrcport));
 		t += strlen(t);
-		sprintf(t, "[%s,%s] ", hostname(family, nl->nl_odstip.i6),
+		snprintf(t, sizeof(t), "[%s,%s] ", hostname(family, nl->nl_odstip.i6),
 			portlocalname(res, proto, (u_int)nl->nl_odstport));
 	} else {
-		sprintf(t, "%s,%s ", hostname(family, nl->nl_osrcip.i6),
+		snprintf(t, sizeof(t), "%s,%s ", hostname(family, nl->nl_osrcip.i6),
 			portlocalname(res, proto, (u_int)nl->nl_osrcport));
 		t += strlen(t);
-		sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_odstip.i6),
+		snprintf(t, sizeof(t), "%s,%s <- -> ", hostname(family, nl->nl_odstip.i6),
 			portlocalname(res, proto, (u_int)nl->nl_odstport));
 		t += strlen(t);
-		sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
+		snprintf(t, sizeof(t), "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
 			portlocalname(res, proto, (u_int)nl->nl_nsrcport));
 		t += strlen(t);
-		sprintf(t, "%s,%s ", hostname(family, nl->nl_ndstip.i6),
+		snprintf(t, sizeof(t), "%s,%s ", hostname(family, nl->nl_ndstip.i6),
 			portlocalname(res, proto, (u_int)nl->nl_ndstport));
 	}
 	t += strlen(t);
@@ -802,13 +806,13 @@ static void print_natlog(conf, buf, blen)
 	if (nl->nl_action == NL_EXPIRE || nl->nl_action == NL_FLUSH) {
 #ifdef	USE_QUAD_T
 # ifdef	PRId64
-		sprintf(t, " Pkts %" PRId64 "/%" PRId64 " Bytes %" PRId64 "/%"
+		snprintf(t, sizeof(t), " Pkts %" PRId64 "/%" PRId64 " Bytes %" PRId64 "/%"
 			PRId64,
 # else
-		sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd",
+		snprintf(t, sizeof(t), " Pkts %qd/%qd Bytes %qd/%qd",
 # endif
 #else
-		sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld",
+		snprintf(t, sizeof(t), " Pkts %ld/%ld Bytes %ld/%ld",
 #endif
 				nl->nl_pkts[0], nl->nl_pkts[1],
 				nl->nl_bytes[0], nl->nl_bytes[1]);
@@ -865,7 +869,7 @@ static void print_statelog(conf, buf, blen)
 	}
 	(void) strftime(t, len, "%T", tm);
 	t += strlen(t);
-	sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
+	snprintf(t, sizeof(t), ".%-.6ld ", (long)ipl->ipl_usec);
 	t += strlen(t);
 
 	family = vtof(sl->isl_v);
@@ -910,7 +914,7 @@ static void print_statelog(conf, buf, blen)
 		break;
 
 	default :
-		sprintf(t, "Type: %d ", sl->isl_type);
+		snprintf(t, sizeof(t), "Type: %d ", sl->isl_type);
 		break;
 	}
 	t += strlen(t);
@@ -918,38 +922,38 @@ static void print_statelog(conf, buf, blen)
 	proto = getlocalproto(sl->isl_p);
 
 	if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
-		sprintf(t, "%s,%s -> ",
+		snprintf(t, sizeof(t), "%s,%s -> ",
 			hostname(family, (u_32_t *)&sl->isl_src),
 			portlocalname(res, proto, (u_int)sl->isl_sport));
 		t += strlen(t);
-		sprintf(t, "%s,%s PR %s",
+		snprintf(t, sizeof(t), "%s,%s PR %s",
 			hostname(family, (u_32_t *)&sl->isl_dst),
 			portlocalname(res, proto, (u_int)sl->isl_dport), proto);
 	} else if (sl->isl_p == IPPROTO_ICMP) {
-		sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
+		snprintf(t, sizeof(t), "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
 		t += strlen(t);
-		sprintf(t, "%s PR icmp %d",
+		snprintf(t, sizeof(t), "%s PR icmp %d",
 			hostname(family, (u_32_t *)&sl->isl_dst),
 			sl->isl_itype);
 	} else if (sl->isl_p == IPPROTO_ICMPV6) {
-		sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
+		snprintf(t, sizeof(t), "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
 		t += strlen(t);
-		sprintf(t, "%s PR icmpv6 %d",
+		snprintf(t, sizeof(t), "%s PR icmpv6 %d",
 			hostname(family, (u_32_t *)&sl->isl_dst),
 			sl->isl_itype);
 	} else {
-		sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
+		snprintf(t, sizeof(t), "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
 		t += strlen(t);
-		sprintf(t, "%s PR %s",
+		snprintf(t, sizeof(t), "%s PR %s",
 			hostname(family, (u_32_t *)&sl->isl_dst), proto);
 	}
 	t += strlen(t);
 	if (sl->isl_tag != FR_NOLOGTAG) {
-		sprintf(t, " tag %u", sl->isl_tag);
+		snprintf(t, sizeof(t), " tag %u", sl->isl_tag);
 		t += strlen(t);
 	}
 	if (sl->isl_type != ISL_NEW) {
-		sprintf(t,
+		snprintf(t, sizeof(t),
 #ifdef	USE_QUAD_T
 #ifdef	PRId64
 			" Forward: Pkts in %" PRId64 " Bytes in %" PRId64
@@ -1095,10 +1099,10 @@ static void print_ipflog(conf, buf, blen)
 	}
 	(void) strftime(t, len, "%T", tm);
 	t += strlen(t);
-	sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
+	snprintf(t, sizeof(t), ".%-.6ld ", (long)ipl->ipl_usec);
 	t += strlen(t);
 	if (ipl->ipl_count > 1) {
-		sprintf(t, "%dx ", ipl->ipl_count);
+		snprintf(t, sizeof(t), "%dx ", ipl->ipl_count);
 		t += strlen(t);
 	}
 	{
@@ -1106,11 +1110,11 @@ static void print_ipflog(conf, buf, blen)
 
 	strncpy(ifname, ipf->fl_ifname, sizeof(ipf->fl_ifname));
 	ifname[sizeof(ipf->fl_ifname)] = '\0';
-	sprintf(t, "%s", ifname);
+	snprintf(t, sizeof(t), "%s", ifname);
 	t += strlen(t);
 # if SOLARIS
 		if (ISALPHA(*(t - 1))) {
-			sprintf(t, "%d", ipf->fl_unit);
+			snprintf(t, sizeof(t), "%d", ipf->fl_unit);
 			t += strlen(t);
 		}
 # endif
@@ -1120,12 +1124,12 @@ static void print_ipflog(conf, buf, blen)
 	else if (ipf->fl_group[0] == '\0')
 		(void) strcpy(t, " @0:");
 	else
-		sprintf(t, " @%s:", ipf->fl_group);
+		snprintf(t, sizeof(t), " @%s:", ipf->fl_group);
 	t += strlen(t);
 	if (ipf->fl_rule == 0xffffffff)
 		strcat(t, "-1 ");
 	else
-		sprintf(t, "%u ", ipf->fl_rule + 1);
+		snprintf(t, sizeof(t), "%u ", ipf->fl_rule + 1);
 	t += strlen(t);
 
 	lvl = LOG_NOTICE;
@@ -1212,10 +1216,10 @@ static void print_ipflog(conf, buf, blen)
 	if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
 		tp = (tcphdr_t *)((char *)ip + hl);
 		if (!(ipf->fl_lflags & FI_SHORT)) {
-			sprintf(t, "%s,%s -> ", hostname(f, s),
+			snprintf(t, sizeof(t), "%s,%s -> ", hostname(f, s),
 				portlocalname(res, proto, (u_int)tp->th_sport));
 			t += strlen(t);
-			sprintf(t, "%s,%s PR %s len %hu %hu",
+			snprintf(t, sizeof(t), "%s,%s PR %s len %hu %hu",
 				hostname(f, d),
 				portlocalname(res, proto, (u_int)tp->th_dport),
 				proto, hl, plen);
@@ -1228,7 +1232,7 @@ static void print_ipflog(conf, buf, blen)
 					if (tp->th_flags & tcpfl[i].value)
 						*t++ = tcpfl[i].flag;
 				if (ipmonopts & IPMON_VERBOSE) {
-					sprintf(t, " %lu %lu %hu",
+					snprintf(t, sizeof(t), " %lu %lu %hu",
 						(u_long)(ntohl(tp->th_seq)),
 						(u_long)(ntohl(tp->th_ack)),
 						ntohs(tp->th_win));
@@ -1237,7 +1241,7 @@ static void print_ipflog(conf, buf, blen)
 			}
 			*t = '\0';
 		} else {
-			sprintf(t, "%s -> ", hostname(f, s));
+			snprintf(t, sizeof(t), "%s -> ", hostname(f, s));
 			t += strlen(t);
 			sprintf(t, "%s PR %s len %hu %hu",
 				hostname(f, d), proto, hl, plen);
@@ -1245,17 +1249,17 @@ static void print_ipflog(conf, buf, blen)
 #if defined(AF_INET6) && defined(IPPROTO_ICMPV6)
 	} else if ((p == IPPROTO_ICMPV6) && !off && (f == AF_INET6)) {
 		ic = (struct icmp *)((char *)ip + hl);
-		sprintf(t, "%s -> ", hostname(f, s));
+		snprintf(t, sizeof(t), "%s -> ", hostname(f, s));
 		t += strlen(t);
-		sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
+		snprintf(t, sizeof(t), "%s PR icmpv6 len %hu %hu icmpv6 %s",
 			hostname(f, d), hl, plen,
 			icmpname6(ic->icmp_type, ic->icmp_code));
 #endif
 	} else if ((p == IPPROTO_ICMP) && !off && (f == AF_INET)) {
 		ic = (struct icmp *)((char *)ip + hl);
-		sprintf(t, "%s -> ", hostname(f, s));
+		snprintf(t, sizeof(t), "%s -> ", hostname(f, s));
 		t += strlen(t);
-		sprintf(t, "%s PR icmp len %hu %hu icmp %s",
+		snprintf(t, sizeof(t), "%s PR icmp len %hu %hu icmp %s",
 			hostname(f, d), hl, plen,
 			icmpname(ic->icmp_type, ic->icmp_code));
 		if (ic->icmp_type == ICMP_UNREACH ||
@@ -1279,12 +1283,12 @@ static void print_ipflog(conf, buf, blen)
 			     (ipc->ip_p == IPPROTO_UDP))) {
 				tp = (tcphdr_t *)((char *)ipc + hl);
 				t += strlen(t);
-				sprintf(t, " for %s,%s -",
+				snprintf(t, sizeof(t), " for %s,%s -",
 					HOSTNAMEV4(ipc->ip_src),
 					portlocalname(res, proto,
 						 (u_int)tp->th_sport));
 				t += strlen(t);
-				sprintf(t, " %s,%s PR %s len %hu %hu",
+				snprintf(t, sizeof(t), " %s,%s PR %s len %hu %hu",
 					HOSTNAMEV4(ipc->ip_dst),
 					portlocalname(res, proto,
 						 (u_int)tp->th_dport),
@@ -1294,25 +1298,25 @@ static void print_ipflog(conf, buf, blen)
 				icmp = (icmphdr_t *)((char *)ipc + hl);
 
 				t += strlen(t);
-				sprintf(t, " for %s -",
+				snprintf(t, sizeof(t), " for %s -",
 					HOSTNAMEV4(ipc->ip_src));
 				t += strlen(t);
-				sprintf(t,
+				snprintf(t, sizeof(t),
 					" %s PR icmp len %hu %hu icmp %d/%d",
 					HOSTNAMEV4(ipc->ip_dst),
 					IP_HL(ipc) << 2, i,
 					icmp->icmp_type, icmp->icmp_code);
 			} else {
 				t += strlen(t);
-				sprintf(t, " for %s -",
+				snprintf(t, sizeof(t), " for %s -",
 					HOSTNAMEV4(ipc->ip_src));
 				t += strlen(t);
-				sprintf(t, " %s PR %s len %hu (%hu)",
+				snprintf(t, sizeof(t), " %s PR %s len %hu (%hu)",
 					HOSTNAMEV4(ipc->ip_dst), proto,
 					IP_HL(ipc) << 2, i);
 				t += strlen(t);
 				if (ipoff & IP_OFFMASK) {
-					sprintf(t, "(frag %d:%hu@%hu%s%s)",
+					snprintf(t, sizeof(t), "(frag %d:%hu@%hu%s%s)",
 						ntohs(ipc->ip_id),
 						i - (IP_HL(ipc) << 2),
 						(ipoff & IP_OFFMASK) << 3,
@@ -1323,13 +1327,13 @@ static void print_ipflog(conf, buf, blen)
 
 		}
 	} else {
-		sprintf(t, "%s -> ", hostname(f, s));
+		snprintf(t, sizeof(t), "%s -> ", hostname(f, s));
 		t += strlen(t);
-		sprintf(t, "%s PR %s len %hu (%hu)",
+		snprintf(t, sizeof(t), "%s PR %s len %hu (%hu)",
 			hostname(f, d), proto, hl, plen);
 		t += strlen(t);
 		if (off & IP_OFFMASK)
-			sprintf(t, " (frag %d:%hu@%hu%s%s)",
+			snprintf(t, sizeof(t), " (frag %d:%hu@%hu%s%s)",
 				ntohs(ip->ip_id),
 				plen - hl, (off & IP_OFFMASK) << 3,
 				ipoff & IP_MF ? "+" : "",
@@ -1354,7 +1358,7 @@ printipflog:
 		strcpy(t, " OUT");
 	t += strlen(t);
 	if (ipf->fl_logtag != 0) {
-		sprintf(t, " log-tag %d", ipf->fl_logtag);
+		snprintf(t, sizeof(t), " log-tag %d", ipf->fl_logtag);
 		t += strlen(t);
 	}
 	if (ipf->fl_nattag.ipt_num[0] != 0) {
diff --git a/contrib/ipfilter/tools/ipmon_y.y b/contrib/ipfilter/tools/ipmon_y.y
index 0aeb20a32519..e734c1c8c1f1 100644
--- a/contrib/ipfilter/tools/ipmon_y.y
+++ b/contrib/ipfilter/tools/ipmon_y.y
@@ -368,7 +368,7 @@ build_action(olist, todo)
 			if (o->o_str != NULL)
 				strncpy(a->ac_group, o->o_str, FR_GROUPLEN);
 			else
-				sprintf(a->ac_group, "%d", o->o_num);
+				snprintf(a->ac_group, FR_GROUPLEN, "%d", o->o_num);
 			break;
 		case IPM_LOGTAG :
 			a->ac_logtag = o->o_num;
diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y
index 30e888d8b490..a6a5a0e49d76 100644
--- a/contrib/ipfilter/tools/ipnat_y.y
+++ b/contrib/ipfilter/tools/ipnat_y.y
@@ -1507,7 +1507,7 @@ ipnat_addrule(fd, ioctlfunc, ptr)
 			if ((opts & OPT_DONOTHING) == 0) {
 				char msg[80];
 
-				sprintf(msg, "%d:ioctl(zero nat rule)",
+				snprintf(msg, sizeof(msg), "%d:ioctl(zero nat rule)",
 					ipn->in_flineno);
 				return ipf_perror_fd(fd, ioctlfunc, msg);
 			}
@@ -1527,7 +1527,7 @@ ipnat_addrule(fd, ioctlfunc, ptr)
 			if ((opts & OPT_DONOTHING) == 0) {
 				char msg[80];
 
-				sprintf(msg, "%d:ioctl(delete nat rule)",
+				snprintf(msg, sizeof(msg), "%d:ioctl(delete nat rule)",
 					ipn->in_flineno);
 				return ipf_perror_fd(fd, ioctlfunc, msg);
 			}
@@ -1537,10 +1537,11 @@ ipnat_addrule(fd, ioctlfunc, ptr)
 			if ((opts & OPT_DONOTHING) == 0) {
 				char msg[80];
 
-				sprintf(msg, "%d:ioctl(add/insert nat rule)",
+				snprintf(msg, sizeof(msg), "%d:ioctl(add/insert nat rule)",
 					ipn->in_flineno);
 				if (errno == EEXIST) {
-					sprintf(msg + strlen(msg), "(line %d)",
+					int strlen_msg = strlen(msg);
+					snprintf(msg + strlen_msg, sizeof(msg) -strlen_msg, "(line %d)",
 						ipn->in_flineno);
 				}
 				return ipf_perror_fd(fd, ioctlfunc, msg);
@@ -1717,7 +1718,7 @@ proxy_loadconfig(fd, ioctlfunc, proxy, proto, conf, list)
                         if ((opts & OPT_DONOTHING) == 0) {
                                 char msg[80];
 
-                                sprintf(msg, "%d:ioctl(add/remove proxy rule)",
+                                snprintf(msg, sizeof(msg), "%d:ioctl(add/remove proxy rule)",
 					yylineNum);
                                 ipf_perror_fd(fd, ioctlfunc, msg);
 				return;
diff --git a/contrib/ipfilter/tools/ippool_y.y b/contrib/ipfilter/tools/ippool_y.y
index 741ae2db7466..03ee1731f24f 100644
--- a/contrib/ipfilter/tools/ippool_y.y
+++ b/contrib/ipfilter/tools/ippool_y.y
@@ -218,7 +218,7 @@ ipfgroup:
 					{ $$ = $3; }
 	;
 
-number:	IPT_NUM '=' YY_NUMBER			{ sprintf(poolname, "%u", $3);
+number:	IPT_NUM '=' YY_NUMBER			{ snprintf(poolname, sizeof(poolname), "%u", $3);
 						  $$ = poolname;
 						}
 	| IPT_NAME '=' YY_STR			{ strncpy(poolname, $3,
@@ -237,7 +237,7 @@ setgroup:
 					  free($3);
 					}
 	| IPT_GROUP '=' YY_NUMBER	{ char tmp[FR_GROUPLEN+1];
-					  sprintf(tmp, "%u", $3);
+					  snprintf(tmp, sizeof(tmp), "%u", $3);
 					  $$ = strdup(tmp);
 					}
 	;
@@ -516,7 +516,7 @@ poolline:
 
 name:	IPT_NAME YY_STR			{ $$ = $2; }
 	| IPT_NUM YY_NUMBER		{ char name[80];
-					  sprintf(name, "%d", $2);
+					  snprintf(name, sizeof(name), "%d", $2);
 					  $$ = strdup(name);
 					}
 	;
diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c
index 926ee201685f..2dc2c3e8fe8c 100644
--- a/contrib/ipfilter/tools/lexer.c
+++ b/contrib/ipfilter/tools/lexer.c
@@ -447,7 +447,7 @@ buildipv6:
 		oc = c;
 
 		if (prior == YY_NUMBER && c == ':') {
-			sprintf(s, "%d", priornum);
+			snprintf(s, sizeof(s), "%d", priornum);
 			s += strlen(s);
 		}