From ca46dbbc1cc6bec00272a095140960f29822e1c1 Mon Sep 17 00:00:00 2001
From: peter <peter@FreeBSD.org>
Date: Sun, 28 Jul 1996 20:29:10 +0000
Subject: [PATCH] Limit the risk of `buf' overrun in ping.c when printing
 hostnames.

Note, this is not really a security risk, because the buffer in question
is a static variable in the data segment and not on the stack, and hence
cannot subert the flow of execution in any way.  About the worst case was
that if you pinged a long hostname, ping could coredump.

Pointed out on: bugtraq  (listserv@netspace.org)
---
 sbin/ping/ping.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 3545c319ec20..de19a4575d02 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -959,9 +959,10 @@ pr_addr(l)
 
 	if ((options & F_NUMERIC) ||
 	    !(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
-		(void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
+		(void)snprintf(buf, sizeof(buf), "%s",
+		    inet_ntoa(*(struct in_addr *)&l));
 	else
-		(void)sprintf(buf, "%s (%s)", hp->h_name,
+		(void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name,
 		    inet_ntoa(*(struct in_addr *)&l));
 	return(buf);
 }