--- mtr-0.69/dns.c.CVE-2002-0497	2005-01-11 09:32:42.000000000 +0100

+++ mtr-0.69/dns.c	2005-02-09 18:13:12.000000000 +0100

@@ -877,7 +877,7 @@

   if (type == T_A) {

     dorequest(rp->hostname,type,rp->id);

     if (debug) {

-      sprintf(tempstring,"Resolver: Sent reverse authentication request for \"%s\".",

+      snprintf(tempstring, sizeof(tempstring), "Resolver: Sent reverse authentication request for \"%s\".",

 	      rp->hostname);

       restell(tempstring);

     }

@@ -898,7 +898,7 @@

     }

     dorequest(tempstring,type,rp->id);

     if (debug) {

-      sprintf(tempstring,"Resolver: Sent domain lookup request for \"%s\".",

+      snprintf(tempstring, sizeof(tempstring), "Resolver: Sent domain lookup request for \"%s\".",

 	      strlongip( &(rp->ip) ));

       restell(tempstring);

     }

@@ -934,7 +934,7 @@

   rp->expiretime = sweeptime + (double)ttl;

   untieresolve(rp);

   if (debug) {

-    sprintf(tempstring,"Resolver: Lookup successful: %s\n",rp->hostname);

+    snprintf(tempstring, sizeof(tempstring), "Resolver: Lookup successful: %s\n",rp->hostname);

     restell(tempstring);

   }

 }

@@ -991,7 +991,7 @@

   case NOERROR:

     if (hp->ancount) {

       if (debug) {

-	sprintf(tempstring,"Resolver: Received nameserver reply. (qd:%u an:%u ns:%u ar:%u)",

+	snprintf(tempstring, sizeof(tempstring), "Resolver: Received nameserver reply. (qd:%u an:%u ns:%u ar:%u)",

                 hp->qdcount,hp->ancount,hp->nscount,hp->arcount);

 	restell(tempstring);

       }

@@ -1031,14 +1031,14 @@

       namestring[strlen(stackstring)] = '\0';

       if (strcasecmp(stackstring,namestring)) {

 	if (debug) {

-	  sprintf(tempstring,"Resolver: Unknown query packet dropped. (\"%s\" does not match \"%s\")",

+	  snprintf(tempstring, sizeof(tempstring), "Resolver: Unknown query packet dropped. (\"%s\" does not match \"%s\")",

 		  stackstring,namestring);

 	  restell(tempstring);

 	}

 	return;

       }

       if (debug) {

-	sprintf(tempstring,"Resolver: Queried domain name: \"%s\"",namestring);

+	snprintf(tempstring, sizeof(tempstring), "Resolver: Queried domain name: \"%s\"",namestring);

 	restell(tempstring);

       }

       c+= r;

@@ -1049,7 +1049,7 @@

       qdatatype = sucknetword(c);

       qclass = sucknetword(c);

       if (qclass != C_IN) {

-	sprintf(tempstring,"Resolver error: Received unsupported query class: %u (%s)",

+	snprintf(tempstring, sizeof(tempstring), "Resolver error: Received unsupported query class: %u (%s)",

                 qclass,qclass < ClasstypeCount ? classtypes[qclass] :

 		classtypes[ClasstypeCount]);

 	restell(tempstring);

@@ -1063,7 +1063,7 @@

 	  }

 	break;

       default:

-	sprintf(tempstring,"Resolver error: Received unimplemented query type: %u (%s)",

+	snprintf(tempstring, sizeof(tempstring), "Resolver error: Received unimplemented query type: %u (%s)",

 		qdatatype,qdatatype < ResourcetypeCount ?

 		resourcetypes[qdatatype] : resourcetypes[ResourcetypeCount]);

 	restell(tempstring);

@@ -1085,7 +1085,7 @@

 	else

 	  usefulanswer = 1;

 	if (debug) {

-	  sprintf(tempstring,"Resolver: answered domain query: \"%s\"",namestring);

+	  snprintf(tempstring, sizeof(tempstring), "Resolver: answered domain query: \"%s\"",namestring);

 	  restell(tempstring);

 	}

 	c+= r;

@@ -1098,10 +1098,10 @@

 	ttl = sucknetlong(c);

 	rdatalength = sucknetword(c);

 	if (class != qclass) {

-	  sprintf(tempstring,"query class: %u (%s)",qclass,qclass < ClasstypeCount ?

+	  snprintf(tempstring, sizeof(tempstring), "query class: %u (%s)",qclass,qclass < ClasstypeCount ?

 		  classtypes[qclass] : classtypes[ClasstypeCount]);

 	  restell(tempstring);

-	  sprintf(tempstring,"rr class: %u (%s)",class,class < ClasstypeCount ?

+	  snprintf(tempstring, sizeof(tempstring), "rr class: %u (%s)",class,class < ClasstypeCount ?

 		  classtypes[class] : classtypes[ClasstypeCount]);

 	  restell(tempstring);

 	  restell("Resolver error: Answered class does not match queried class.");

@@ -1117,20 +1117,20 @@

 	}

 	if (datatype == qdatatype || datatype == T_CNAME) {

 	  if (debug) {

-	    sprintf(tempstring,"Resolver: TTL: %s",strtdiff(sendstring,ttl));

+	    snprintf(tempstring, sizeof(tempstring), "Resolver: TTL: %s",strtdiff(sendstring,ttl));

 	    restell(tempstring);

 	  }

 	  if (usefulanswer)

 	    switch (datatype) {

 	    case T_A:

 	      if (rdatalength != 4) {

-		sprintf(tempstring,"Resolver error: Unsupported rdata format for \"A\" type. (%u bytes)",

+		snprintf(tempstring, sizeof(tempstring), "Resolver error: Unsupported rdata format for \"A\" type. (%u bytes)",

 			rdatalength);

 		restell(tempstring);

 		return;

 	      }

 	      if ( addrcmp( (void *) &(rp->ip), (void *) c, af ) == 0 ) {

-		sprintf(tempstring,"Resolver: Reverse authentication failed: %s != ",

+		snprintf(tempstring, sizeof(tempstring), "Resolver: Reverse authentication failed: %s != ",

 			strlongip( &(rp->ip) ));

 		addrcpy( (void *) &alignedip, (void *) c, af );

 		strcat(tempstring,strlongip( &alignedip ));

@@ -1138,7 +1138,7 @@

 		res_hostipmismatch++;

 		failrp(rp);

 	      } else {

-		sprintf(tempstring,"Resolver: Reverse authentication complete: %s == \"%s\".",

+		snprintf(tempstring, sizeof(tempstring), "Resolver: Reverse authentication complete: %s == \"%s\".",

 			strlongip( &(rp->ip) ),nonull(rp->hostname));

 		restell(tempstring);

 		res_reversesuccess++;

@@ -1155,7 +1155,7 @@

 		return;

 	      }

 	      if (debug) {

-		sprintf(tempstring,"Resolver: Answered domain: \"%s\"",namestring);

+		snprintf(tempstring, sizeof(tempstring), "Resolver: Answered domain: \"%s\"",namestring);

 		restell(tempstring);

 	      }

 	      if (r > HostnameLength) {

@@ -1180,14 +1180,14 @@

 	      }

 	      break;

 	    default:

-	      sprintf(tempstring,"Resolver error: Received unimplemented data type: %u (%s)",

+	      snprintf(tempstring, sizeof(tempstring), "Resolver error: Received unimplemented data type: %u (%s)",

 		      datatype,datatype < ResourcetypeCount ?

 		      resourcetypes[datatype] : resourcetypes[ResourcetypeCount]);

 	      restell(tempstring);

 	    }

 	} else {

 	  if (debug) {

-	    sprintf(tempstring,"Resolver: Ignoring resource type %u. (%s)",

+	    snprintf(tempstring, sizeof(tempstring), "Resolver: Ignoring resource type %u. (%s)",

 		    datatype,datatype < ResourcetypeCount ?

 		    resourcetypes[datatype] : resourcetypes[ResourcetypeCount]);

 	    restell(tempstring);

@@ -1205,7 +1205,7 @@

     failrp(rp);

     break;

   default:

-    sprintf(tempstring,"Resolver: Received error response %u. (%s)",

+    snprintf(tempstring, sizeof(tempstring), "Resolver: Received error response %u. (%s)",

 	    getheader_rcode(hp),getheader_rcode(hp) < ResponsecodeCount ?

 	    responsecodes[getheader_rcode(hp)] : responsecodes[ResponsecodeCount]);

     restell(tempstring);

@@ -1236,13 +1236,13 @@

 		      (void *) &(from4->sin_addr), AF_INET ) == 0 )

 	  break;

     if (i == _res.nscount) {

-      sprintf(tempstring,"Resolver error: Received reply from unknown source: %s",

+      snprintf(tempstring, sizeof(tempstring), "Resolver error: Received reply from unknown source: %s",

 	      inet_ntoa(from4->sin_addr ));

       restell(tempstring);

     } else

       parserespacket((byte *)resrecvbuf,r);

   } else {

-    sprintf(tempstring,"Resolver: Socket error: %s",strerror(errno));

+    snprintf(tempstring, sizeof(tempstring), "Resolver: Socket error: %s",strerror(errno));

     restell(tempstring);

   }

 }

@@ -1271,7 +1271,7 @@

     case STATE_FINISHED:	/* TTL has expired */

     case STATE_FAILED:	/* Fake TTL has expired */

       if (debug) {

-	sprintf(tempstring,"Resolver: Cache record for \"%s\" (%s) has expired. (state: %u)  Marked for expire at: %g, time: %g.",

+	snprintf(tempstring, sizeof(tempstring), "Resolver: Cache record for \"%s\" (%s) has expired. (state: %u)  Marked for expire at: %g, time: %g.",

                 nonull(rp->hostname), strlongip( &(rp->ip) ), 

 		rp->state, rp->expiretime, sweeptime);

 	restell(tempstring);

@@ -1315,14 +1315,14 @@

     if ((rp->state == STATE_FINISHED) || (rp->state == STATE_FAILED)) {

       if ((rp->state == STATE_FINISHED) && (rp->hostname)) {

 	if (debug) {

-	  sprintf(tempstring,"Resolver: Used cached record: %s == \"%s\".\n",

+	  snprintf(tempstring, sizeof(tempstring), "Resolver: Used cached record: %s == \"%s\".\n",

 		  strlongip(ip),rp->hostname);

 	  restell(tempstring);

 	}

 	return rp->hostname;

       } else {

 	if (debug) {

-	  sprintf(tempstring,"Resolver: Used failed record: %s == ???\n",

+	  snprintf(tempstring, sizeof(tempstring), "Resolver: Used failed record: %s == ???\n",

 		  strlongip(ip));

 	  restell(tempstring);

 	}

--- mtr-0.69/split.c.CVE-2002-0497	2005-01-11 09:34:07.000000000 +0100

+++ mtr-0.69/split.c	2005-02-09 18:13:58.000000000 +0100

@@ -103,13 +103,13 @@

       name = dns_lookup(addr);

       if(name != NULL) {

 	/* May be we should test name's length */

-	sprintf(newLine, "%s %d %d %d %d %d %d", name,

+	snprintf(newLine, sizeof(newLine), "%s %d %d %d %d %d %d", name,

 		net_loss(at),

 		net_returned(at), net_xmit(at),

 		net_best(at) /1000, net_avg(at)/1000, 

 		net_worst(at)/1000);

       } else {

-	sprintf(newLine, "%s %d %d %d %d %d %d", 

+	snprintf(newLine, sizeof(newLine), "%s %d %d %d %d %d %d", 

 		strlongip( addr ),

 		net_loss(at),

 		net_returned(at), net_xmit(at),