--- mtr-0.69/dns.c.CVE-2002-0497	2005-01-11 09:32:42.000000000 +0100
+++ mtr-0.69/dns.c	2005-02-09 18:13:12.000000000 +0100
@@ -877,7 +877,7 @@
   if (type == T_A) {
     dorequest(rp->hostname,type,rp->id);
     if (debug) {
-      sprintf(tempstring,"Resolver: Sent reverse authentication request for \"%s\".",
+      snprintf(tempstring, sizeof(tempstring), "Resolver: Sent reverse authentication request for \"%s\".",
 	      rp->hostname);
       restell(tempstring);
     }
@@ -898,7 +898,7 @@
     }
     dorequest(tempstring,type,rp->id);
     if (debug) {
-      sprintf(tempstring,"Resolver: Sent domain lookup request for \"%s\".",
+      snprintf(tempstring, sizeof(tempstring), "Resolver: Sent domain lookup request for \"%s\".",
 	      strlongip( &(rp->ip) ));
       restell(tempstring);
     }
@@ -934,7 +934,7 @@
   rp->expiretime = sweeptime + (double)ttl;
   untieresolve(rp);
   if (debug) {
-    sprintf(tempstring,"Resolver: Lookup successful: %s\n",rp->hostname);
+    snprintf(tempstring, sizeof(tempstring), "Resolver: Lookup successful: %s\n",rp->hostname);
     restell(tempstring);
   }
 }
@@ -991,7 +991,7 @@
   case NOERROR:
     if (hp->ancount) {
       if (debug) {
-	sprintf(tempstring,"Resolver: Received nameserver reply. (qd:%u an:%u ns:%u ar:%u)",
+	snprintf(tempstring, sizeof(tempstring), "Resolver: Received nameserver reply. (qd:%u an:%u ns:%u ar:%u)",
                 hp->qdcount,hp->ancount,hp->nscount,hp->arcount);
 	restell(tempstring);
       }
@@ -1031,14 +1031,14 @@
       namestring[strlen(stackstring)] = '\0';
       if (strcasecmp(stackstring,namestring)) {
 	if (debug) {
-	  sprintf(tempstring,"Resolver: Unknown query packet dropped. (\"%s\" does not match \"%s\")",
+	  snprintf(tempstring, sizeof(tempstring), "Resolver: Unknown query packet dropped. (\"%s\" does not match \"%s\")",
 		  stackstring,namestring);
 	  restell(tempstring);
 	}
 	return;
       }
       if (debug) {
-	sprintf(tempstring,"Resolver: Queried domain name: \"%s\"",namestring);
+	snprintf(tempstring, sizeof(tempstring), "Resolver: Queried domain name: \"%s\"",namestring);
 	restell(tempstring);
       }
       c+= r;
@@ -1049,7 +1049,7 @@
       qdatatype = sucknetword(c);
       qclass = sucknetword(c);
       if (qclass != C_IN) {
-	sprintf(tempstring,"Resolver error: Received unsupported query class: %u (%s)",
+	snprintf(tempstring, sizeof(tempstring), "Resolver error: Received unsupported query class: %u (%s)",
                 qclass,qclass < ClasstypeCount ? classtypes[qclass] :
 		classtypes[ClasstypeCount]);
 	restell(tempstring);
@@ -1063,7 +1063,7 @@
 	  }
 	break;
       default:
-	sprintf(tempstring,"Resolver error: Received unimplemented query type: %u (%s)",
+	snprintf(tempstring, sizeof(tempstring), "Resolver error: Received unimplemented query type: %u (%s)",
 		qdatatype,qdatatype < ResourcetypeCount ?
 		resourcetypes[qdatatype] : resourcetypes[ResourcetypeCount]);
 	restell(tempstring);
@@ -1085,7 +1085,7 @@
 	else
 	  usefulanswer = 1;
 	if (debug) {
-	  sprintf(tempstring,"Resolver: answered domain query: \"%s\"",namestring);
+	  snprintf(tempstring, sizeof(tempstring), "Resolver: answered domain query: \"%s\"",namestring);
 	  restell(tempstring);
 	}
 	c+= r;
@@ -1098,10 +1098,10 @@
 	ttl = sucknetlong(c);
 	rdatalength = sucknetword(c);
 	if (class != qclass) {
-	  sprintf(tempstring,"query class: %u (%s)",qclass,qclass < ClasstypeCount ?
+	  snprintf(tempstring, sizeof(tempstring), "query class: %u (%s)",qclass,qclass < ClasstypeCount ?
 		  classtypes[qclass] : classtypes[ClasstypeCount]);
 	  restell(tempstring);
-	  sprintf(tempstring,"rr class: %u (%s)",class,class < ClasstypeCount ?
+	  snprintf(tempstring, sizeof(tempstring), "rr class: %u (%s)",class,class < ClasstypeCount ?
 		  classtypes[class] : classtypes[ClasstypeCount]);
 	  restell(tempstring);
 	  restell("Resolver error: Answered class does not match queried class.");
@@ -1117,20 +1117,20 @@
 	}
 	if (datatype == qdatatype || datatype == T_CNAME) {
 	  if (debug) {
-	    sprintf(tempstring,"Resolver: TTL: %s",strtdiff(sendstring,ttl));
+	    snprintf(tempstring, sizeof(tempstring), "Resolver: TTL: %s",strtdiff(sendstring,ttl));
 	    restell(tempstring);
 	  }
 	  if (usefulanswer)
 	    switch (datatype) {
 	    case T_A:
 	      if (rdatalength != 4) {
-		sprintf(tempstring,"Resolver error: Unsupported rdata format for \"A\" type. (%u bytes)",
+		snprintf(tempstring, sizeof(tempstring), "Resolver error: Unsupported rdata format for \"A\" type. (%u bytes)",
 			rdatalength);
 		restell(tempstring);
 		return;
 	      }
 	      if ( addrcmp( (void *) &(rp->ip), (void *) c, af ) == 0 ) {
-		sprintf(tempstring,"Resolver: Reverse authentication failed: %s != ",
+		snprintf(tempstring, sizeof(tempstring), "Resolver: Reverse authentication failed: %s != ",
 			strlongip( &(rp->ip) ));
 		addrcpy( (void *) &alignedip, (void *) c, af );
 		strcat(tempstring,strlongip( &alignedip ));
@@ -1138,7 +1138,7 @@
 		res_hostipmismatch++;
 		failrp(rp);
 	      } else {
-		sprintf(tempstring,"Resolver: Reverse authentication complete: %s == \"%s\".",
+		snprintf(tempstring, sizeof(tempstring), "Resolver: Reverse authentication complete: %s == \"%s\".",
 			strlongip( &(rp->ip) ),nonull(rp->hostname));
 		restell(tempstring);
 		res_reversesuccess++;
@@ -1155,7 +1155,7 @@
 		return;
 	      }
 	      if (debug) {
-		sprintf(tempstring,"Resolver: Answered domain: \"%s\"",namestring);
+		snprintf(tempstring, sizeof(tempstring), "Resolver: Answered domain: \"%s\"",namestring);
 		restell(tempstring);
 	      }
 	      if (r > HostnameLength) {
@@ -1180,14 +1180,14 @@
 	      }
 	      break;
 	    default:
-	      sprintf(tempstring,"Resolver error: Received unimplemented data type: %u (%s)",
+	      snprintf(tempstring, sizeof(tempstring), "Resolver error: Received unimplemented data type: %u (%s)",
 		      datatype,datatype < ResourcetypeCount ?
 		      resourcetypes[datatype] : resourcetypes[ResourcetypeCount]);
 	      restell(tempstring);
 	    }
 	} else {
 	  if (debug) {
-	    sprintf(tempstring,"Resolver: Ignoring resource type %u. (%s)",
+	    snprintf(tempstring, sizeof(tempstring), "Resolver: Ignoring resource type %u. (%s)",
 		    datatype,datatype < ResourcetypeCount ?
 		    resourcetypes[datatype] : resourcetypes[ResourcetypeCount]);
 	    restell(tempstring);
@@ -1205,7 +1205,7 @@
     failrp(rp);
     break;
   default:
-    sprintf(tempstring,"Resolver: Received error response %u. (%s)",
+    snprintf(tempstring, sizeof(tempstring), "Resolver: Received error response %u. (%s)",
 	    getheader_rcode(hp),getheader_rcode(hp) < ResponsecodeCount ?
 	    responsecodes[getheader_rcode(hp)] : responsecodes[ResponsecodeCount]);
     restell(tempstring);
@@ -1236,13 +1236,13 @@
 		      (void *) &(from4->sin_addr), AF_INET ) == 0 )
 	  break;
     if (i == _res.nscount) {
-      sprintf(tempstring,"Resolver error: Received reply from unknown source: %s",
+      snprintf(tempstring, sizeof(tempstring), "Resolver error: Received reply from unknown source: %s",
 	      inet_ntoa(from4->sin_addr ));
       restell(tempstring);
     } else
       parserespacket((byte *)resrecvbuf,r);
   } else {
-    sprintf(tempstring,"Resolver: Socket error: %s",strerror(errno));
+    snprintf(tempstring, sizeof(tempstring), "Resolver: Socket error: %s",strerror(errno));
     restell(tempstring);
   }
 }
@@ -1271,7 +1271,7 @@
     case STATE_FINISHED:	/* TTL has expired */
     case STATE_FAILED:	/* Fake TTL has expired */
       if (debug) {
-	sprintf(tempstring,"Resolver: Cache record for \"%s\" (%s) has expired. (state: %u)  Marked for expire at: %g, time: %g.",
+	snprintf(tempstring, sizeof(tempstring), "Resolver: Cache record for \"%s\" (%s) has expired. (state: %u)  Marked for expire at: %g, time: %g.",
                 nonull(rp->hostname), strlongip( &(rp->ip) ), 
 		rp->state, rp->expiretime, sweeptime);
 	restell(tempstring);
@@ -1315,14 +1315,14 @@
     if ((rp->state == STATE_FINISHED) || (rp->state == STATE_FAILED)) {
       if ((rp->state == STATE_FINISHED) && (rp->hostname)) {
 	if (debug) {
-	  sprintf(tempstring,"Resolver: Used cached record: %s == \"%s\".\n",
+	  snprintf(tempstring, sizeof(tempstring), "Resolver: Used cached record: %s == \"%s\".\n",
 		  strlongip(ip),rp->hostname);
 	  restell(tempstring);
 	}
 	return rp->hostname;
       } else {
 	if (debug) {
-	  sprintf(tempstring,"Resolver: Used failed record: %s == ???\n",
+	  snprintf(tempstring, sizeof(tempstring), "Resolver: Used failed record: %s == ???\n",
 		  strlongip(ip));
 	  restell(tempstring);
 	}
--- mtr-0.69/split.c.CVE-2002-0497	2005-01-11 09:34:07.000000000 +0100
+++ mtr-0.69/split.c	2005-02-09 18:13:58.000000000 +0100
@@ -103,13 +103,13 @@
       name = dns_lookup(addr);
       if(name != NULL) {
 	/* May be we should test name's length */
-	sprintf(newLine, "%s %d %d %d %d %d %d", name,
+	snprintf(newLine, sizeof(newLine), "%s %d %d %d %d %d %d", name,
 		net_loss(at),
 		net_returned(at), net_xmit(at),
 		net_best(at) /1000, net_avg(at)/1000, 
 		net_worst(at)/1000);
       } else {
-	sprintf(newLine, "%s %d %d %d %d %d %d", 
+	snprintf(newLine, sizeof(newLine), "%s %d %d %d %d %d %d", 
 		strlongip( addr ),
 		net_loss(at),
 		net_returned(at), net_xmit(at),