Fix many buffer overruns in the code. Specifically, disallow ExpandString

to be used to expand things beyond the size of the buffer passed in.  Also
do a general cleanup of sprintf -> snprintf as well as strcpy and strncat
safety.  Also expand some buffers to allow for the largest possible data
that might be used.

This is a 2.2 candidate.  However, it needs to be vetted on -current
since little testing has been done on this due to my lack of PPP on
this machine.

Reviewed by:	Jordan Hubbard, Peter Wemm, Guido van Rooij

13 files changed, 92 insertions, 61 deletions

diff --git a/usr.sbin/ppp/alias_ftp.c b/usr.sbin/ppp/alias_ftp.c
index 7456c8d..6a682bc 100644
--- a/usr.sbin/ppp/alias_ftp.c
+++ b/usr.sbin/ppp/alias_ftp.c
@@ -165,7 +165,7 @@ u_short true_port;
             p1 = *ptr++; p2=*ptr;
 
 /* Generate command string */
-            sprintf(stemp, "PORT %d,%d,%d,%d,%d,%d\r\n",
+            snprintf(stemp, sizeof(stemp), "PORT %d,%d,%d,%d,%d,%d\r\n",
                      a1,a2,a3,a4,p1,p2);
 
 /* Save string length for IP header modification */
diff --git a/usr.sbin/ppp/arp.c b/usr.sbin/ppp/arp.c
index 74a0f21..490afd4 100644
--- a/usr.sbin/ppp/arp.c
+++ b/usr.sbin/ppp/arp.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: arp.c,v 1.5 1996/05/11 20:48:09 phk Exp $
+ * $Id: arp.c,v 1.6 1997/01/03 20:19:42 wollman Exp $
  *
  */
 
@@ -259,6 +259,7 @@ get_ether_addr(s, ipaddr, hwaddr)
 	if (ifr->ifr_addr.sa_family == AF_INET) {
 	    ina = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr;
 	    strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
+	    ifreq.ifr_name[sizeof(ifreq.ifr_name)-1]='\0';
 	    /*
 	     * Check that the interface is up, and not point-to-point
 	     * or loopback.
@@ -351,7 +352,7 @@ struct sockaddr_dl *dlo;
   struct ifnet ifnet;
   int n;
   u_long addr, ifaddraddr, ifnetfound, ifaddrfound;
-  char name[32];
+  char name[16+32];
   struct sockaddr *sa;
   char *cp;
   struct sockaddr_dl *sdl;
diff --git a/usr.sbin/ppp/auth.c b/usr.sbin/ppp/auth.c
index 3f01962..55ad2c1 100644
--- a/usr.sbin/ppp/auth.c
+++ b/usr.sbin/ppp/auth.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: auth.c,v 1.6 1996/01/11 17:48:36 phk Exp $
+ * $Id: auth.c,v 1.7 1996/05/11 20:48:11 phk Exp $
  *
  *	TODO:
  *		o Implement check against with registered IP addresses.
@@ -106,7 +106,7 @@ char *fname, *system, *key;
     if (n < 2)
       continue;
     if (strcmp(vector[0], system) == 0) {
-      ExpandString(vector[1], passwd, 0);
+      ExpandString(vector[1], passwd, sizeof(passwd), 0);
       if (strcmp(passwd, key) == 0) {
 	CloseSecret(fp);
         bzero(&DefHisAddress, sizeof(DefHisAddress));
@@ -147,7 +147,7 @@ int len, setaddr;
     if (n < 2)
       continue;
     if (strlen(vector[0]) == len && strncmp(vector[0], system, len) == 0) {
-      ExpandString(vector[1], passwd, 0);
+      ExpandString(vector[1], passwd, sizeof(passwd), 0);
       if (setaddr) {
         bzero(&DefHisAddress, sizeof(DefHisAddress));
       }
diff --git a/usr.sbin/ppp/ccp.c b/usr.sbin/ppp/ccp.c
index 9417f9a..d44bb1f 100644
--- a/usr.sbin/ppp/ccp.c
+++ b/usr.sbin/ppp/ccp.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: ccp.c,v 1.6 1996/01/30 20:04:24 phk Exp $
+ * $Id: ccp.c,v 1.7 1996/05/11 20:48:14 phk Exp $
  *
  *	TODO:
  *		o Support other compression protocols
@@ -227,9 +227,9 @@ int mode;
     type = *cp;
     length = cp[1];
     if (type <= TY_BSD)
-      sprintf(tbuff, " %s[%d] ", cftypes[type], length);
+      snprintf(tbuff, sizeof(tbuff), " %s[%d] ", cftypes[type], length);
     else
-      sprintf(tbuff, " ");
+      snprintf(tbuff, sizeof(tbuff), " ");
 
     LogPrintf(LOG_LCP_BIT, "%s\n", tbuff);
 
diff --git a/usr.sbin/ppp/chat.c b/usr.sbin/ppp/chat.c
index e831931..4d29e03 100644
--- a/usr.sbin/ppp/chat.c
+++ b/usr.sbin/ppp/chat.c
@@ -18,7 +18,7 @@
  *		Columbus, OH  43221
  *		(614)451-1883
  *
- * $Id: chat.c,v 1.11 1996/06/09 20:40:56 ache Exp $
+ * $Id: chat.c,v 1.12 1996/12/15 20:39:29 pst Exp $
  *
  *  TODO:
  *	o Support more UUCP compatible control sequences.
@@ -110,24 +110,31 @@ char **pvect;
 }
 
 /*
+ *  \c	don't add a cr
+ *  \d  Sleep a little (delay 2 seconds
+ *  \n  Line feed character
+ *  \P  Auth Key password
+ *  \p  pause 0.25 sec
  *  \r	Carrige return character
  *  \s  Space character
- *  \n  Line feed character
  *  \T  Telephone number(s) (defined via `set phone')
  *  \t  Tab character
+ *  \U  Auth User
  */
 char *
-ExpandString(str, result, sendmode)
+ExpandString(str, result, reslen, sendmode)
 char *str;
 char *result;
+int reslen;
 int sendmode;
 {
   int addcr = 0;
   char *phone;
 
+  result[--reslen] = '\0';
   if (sendmode)
     addcr = 1;
-  while (*str) {
+  while (*str && reslen > 0) {
     switch (*str) {
     case '\\':
       str++;
@@ -141,16 +148,17 @@ int sendmode;
       case 'p':
         usleep(250000); break;	/* Pause 0.25 sec */
       case 'n':
-	*result++ = '\n'; break;
+	*result++ = '\n'; reslen--; break;
       case 'r':
-	*result++ = '\r'; break;
+	*result++ = '\r'; reslen--; break;
       case 's':
-	*result++ = ' '; break;
+	*result++ = ' '; reslen--; break;
       case 't':
-	*result++ = '\t'; break;
+	*result++ = '\t'; reslen--; break;
       case 'P':
-	bcopy(VarAuthKey, result, strlen(VarAuthKey));
-	result += strlen(VarAuthKey);
+        strncpy(result, VarAuthKey, reslen);
+	reslen -= strlen(result);
+	result += strlen(result);
 	break;
       case 'T':
 	if (VarNextPhone == NULL) {
@@ -158,34 +166,45 @@ int sendmode;
 	  VarNextPhone = VarPhoneCopy;
 	}
 	phone = strsep(&VarNextPhone, ":");
-	bcopy(phone, result, strlen(phone));
-	result += strlen(phone);
+	strncpy(result, phone, reslen);
+	reslen -= strlen(result);
+	result += strlen(result);
 	if ((mode & (MODE_INTER|MODE_AUTO)) == MODE_INTER)
 	  fprintf(stderr, "Phone: %s\n", phone);
 	LogPrintf(LOG_PHASE_BIT, "Phone: %s\n", phone);
 	break;
       case 'U':
-	bcopy(VarAuthName, result, strlen(VarAuthName));
-	result += strlen(VarAuthName);
+	strncpy(result, VarAuthName, reslen);
+	reslen -= strlen(result);
+	result += strlen(result);
 	break;
       default:
-	*result++ = *str; break;
+	reslen--;
+	*result++ = *str; 
+	break;
       }
-      if (*str) str++;
+      if (*str) 
+          str++;
       break;
     case '^':
       str++;
-      if (*str)
+      if (*str) {
 	*result++ = *str++ & 0x1f;
+	reslen--;
+      }
       break;
     default:
       *result++ = *str++;
+      reslen--;
       break;
     }
   }
-  if (addcr)
-    *result++ = '\r';
-  *result++ = '\0';
+  if (--reslen > 0) {
+    if (addcr)
+      *result++ = '\r';
+  }
+  if (--reslen > 0)
+    *result++ = '\0';
   return(result);
 }
 
@@ -240,7 +259,7 @@ char *estr;
   omask = sigblock(sigmask(SIGALRM));
 #endif
   clear_log();
-  (void) ExpandString(estr, buff, 0);
+  (void) ExpandString(estr, buff, sizeof(buff), 0);
   LogPrintf(LOG_CHAT_BIT, "Wait for (%d): %s --> %s\n", TimeoutSec, estr, buff);
   str = buff;
   inp = inbuff;
@@ -430,7 +449,7 @@ char *str;
 
   if (abort_next) {
     abort_next = 0;
-    ExpandString(str, buff, 0);
+    ExpandString(str, buff, sizeof(buff), 0);
     AbortStrings[numaborts++] = strdup(buff);
   } else if (timeout_next) {
     timeout_next = 0;
@@ -439,10 +458,10 @@ char *str;
       TimeoutSec = 30;
   } else {
     if (*str == '!') {
-      (void) ExpandString(str+1, buff+2, 0);
+      (void) ExpandString(str+1, buff+2, sizeof(buff)-2, 0);
       ExecStr(buff + 2, buff + 2);
     } else {
-      (void) ExpandString(str, buff+2, 1);
+      (void) ExpandString(str, buff+2, sizeof(buff)-2, 1);
     }
     if (strstr(str, "\\P")) { /* Do not log the password itself. */
       LogPrintf(LOG_CHAT_BIT, "sending: %s\n", str);
diff --git a/usr.sbin/ppp/chat.h b/usr.sbin/ppp/chat.h
index bdb6dd0..5976129 100644
--- a/usr.sbin/ppp/chat.h
+++ b/usr.sbin/ppp/chat.h
@@ -18,12 +18,12 @@
  *		Columbus, OH  43221
  *		(614)451-1883
  *
- * $Id: chat.c,v 1.5 1995/09/02 17:20:50 amurai Exp $
+ * $Id: chat.h,v 1.1 1996/01/11 17:48:39 phk Exp $
  *
  */
 #ifndef _CHAT_H_
 #define	_CHAT_H_
 #include "cdefs.h"
-extern char * ExpandString __P((char *, char *, int));
+extern char * ExpandString __P((char *, char *, int, int));
 extern int MakeArgs __P((char *, char **));
 #endif
diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c
index ad875c8..ccf496a 100644
--- a/usr.sbin/ppp/command.c
+++ b/usr.sbin/ppp/command.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: command.c,v 1.26 1996/12/22 17:09:12 jkh Exp $
+ * $Id: command.c,v 1.27 1996/12/22 17:29:30 jkh Exp $
  *
  */
 #include <sys/types.h>
@@ -922,18 +922,23 @@ int param;
     switch (param) {
     case VAR_AUTHKEY:
       strncpy(VarAuthKey, *argv, sizeof(VarAuthKey)-1);
+      VarAuthKey[sizeof(VarAuthKey)-1] = '\0';
       break;
     case VAR_AUTHNAME:
       strncpy(VarAuthName, *argv, sizeof(VarAuthName)-1);
+      VarAuthName[sizeof(VarAuthName)-1] = '\0';
       break;
     case VAR_DIAL:
       strncpy(VarDialScript, *argv, sizeof(VarDialScript)-1);
+      VarDialScript[sizeof(VarDialScript)-1] = '\0';
       break;
     case VAR_LOGIN:
       strncpy(VarLoginScript, *argv, sizeof(VarDialScript)-1);
+      VarLoginScript[sizeof(VarLoginScript)-1] = '\0';
       break;
     case VAR_DEVICE:
       strncpy(VarDevice, *argv, sizeof(VarDevice)-1);
+      VarDevice[sizeof(VarDevice)-1] = '\0';
       break;
     case VAR_ACCMAP:
       sscanf(*argv, "%lx", &map);
@@ -941,6 +946,7 @@ int param;
       break;
     case VAR_PHONE:
       strncpy(VarPhoneList, *argv, sizeof(VarPhoneList)-1);
+      VarPhoneList[sizeof(VarPhoneList)-1] = '\0';
       strcpy(VarPhoneCopy, VarPhoneList);
       VarNextPhone = VarPhoneCopy;
       break;
diff --git a/usr.sbin/ppp/ipcp.c b/usr.sbin/ppp/ipcp.c
index 3be3686..2b72002 100644
--- a/usr.sbin/ppp/ipcp.c
+++ b/usr.sbin/ppp/ipcp.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: ipcp.c,v 1.9 1996/10/06 13:32:28 jkh Exp $
+ * $Id: ipcp.c,v 1.10 1996/12/12 14:39:44 jkh Exp $
  *
  *	TODO:
  *		o More RFC1772 backwoard compatibility
@@ -269,7 +269,8 @@ struct fsm *fp;
 #endif
   Prompt(1);
   LogPrintf(LOG_LCP_BIT, "%s: LayerUp.\n", fp->name);
-  sprintf(tbuff, "myaddr = %s ", inet_ntoa(IpcpInfo.want_ipaddr));
+  snprintf(tbuff, sizeof(tbuff), "myaddr = %s ", 
+    inet_ntoa(IpcpInfo.want_ipaddr));
   LogPrintf(LOG_LCP_BIT|LOG_LINK_BIT, " %s hisaddr = %s\n", tbuff, inet_ntoa(IpcpInfo.his_ipaddr));
   OsSetIpaddress(IpcpInfo.want_ipaddr, IpcpInfo.his_ipaddr, ifnetmask);
   OsLinkup();
@@ -319,6 +320,7 @@ int mode;
   struct compreq *pcomp;
   struct in_addr ipaddr, dstipaddr, dnsstuff, ms_info_req;
   char tbuff[100];
+  char tbuff2[100];
 
   ackp = AckBuff;
   nakp = NakBuff;
@@ -330,9 +332,9 @@ int mode;
     type = *cp;
     length = cp[1];
     if (type <= TY_IPADDR)
-      sprintf(tbuff, " %s[%d] ", cftypes[type], length);
+      snprintf(tbuff, sizeof(tbuff), " %s[%d] ", cftypes[type], length);
     else
-      sprintf(tbuff, " ");
+      snprintf(tbuff, sizeof(tbuff), " ");
 
     switch (type) {
     case TY_IPADDR:		/* RFC1332 */
@@ -362,8 +364,8 @@ int mode;
           /*
            * Use address suggested by peer.
            */
-	  sprintf(tbuff+50, "%s changing address: %s ", tbuff, inet_ntoa(IpcpInfo.want_ipaddr));
-	  LogPrintf(LOG_LCP_BIT, "%s --> %s\n", tbuff+50, inet_ntoa(ipaddr));
+	  snprintf(tbuff2, sizeof(tbuff2), "%s changing address: %s ", tbuff, inet_ntoa(IpcpInfo.want_ipaddr));
+	  LogPrintf(LOG_LCP_BIT, "%s --> %s\n", tbuff2, inet_ntoa(ipaddr));
 	  IpcpInfo.want_ipaddr = ipaddr;
 	}
 	break;
diff --git a/usr.sbin/ppp/log.c b/usr.sbin/ppp/log.c
index 3b0593a..23d0f05 100644
--- a/usr.sbin/ppp/log.c
+++ b/usr.sbin/ppp/log.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: log.c,v 1.3 1995/05/30 03:50:43 rgrimes Exp $
+ * $Id: log.c,v 1.4 1996/05/11 20:48:30 phk Exp $
  *
  */
 #include "defs.h"
@@ -146,7 +146,7 @@ vlogprintf(format, ap)
 char *format;
 va_list ap;
 {
-  vsprintf(logptr, format, ap);
+  vsnprintf(logptr, sizeof(logbuff)-(logptr-logbuff), format, ap);
   logptr += strlen(logptr);
   LogFlush();
 }
@@ -184,7 +184,7 @@ struct mbuf *bp;
   if (!(loglevel & (1 << level)))
     return;
   LogTimeStamp();
-  sprintf(logptr, "%s\n", header);
+  snprintf(logptr, sizeof(logbuff)-(logptr-logbuff), "%s\n", header);
   logptr += strlen(logptr);
   loc = 0;
   LogTimeStamp();
@@ -192,7 +192,7 @@ struct mbuf *bp;
     cp = MBUF_CTOP(bp);
     cnt = bp->cnt;
     while (cnt-- > 0) {
-      sprintf(logptr, " %02x", *cp++);
+      snprintf(logptr, sizeof(logbuff)-(logptr-logbuff), " %02x", *cp++);
       logptr += strlen(logptr);
       if (++loc == 16) {
 	loc = 0;
@@ -221,12 +221,12 @@ int cnt;
   if (!(loglevel & (1 << level)))
     return;
   LogTimeStamp();
-  sprintf(logptr, "%s\n", header);
+  snprintf(logptr, sizeof(logbuff)-(logptr-logbuff), "%s\n", header);
   logptr += strlen(logptr);
   LogTimeStamp();
   loc = 0;
   while (cnt-- > 0) {
-    sprintf(logptr, " %02x", *ptr++);
+    snprintf(logptr, sizeof(logbuff)-(logptr-logbuff), " %02x", *ptr++);
     logptr += strlen(logptr);
     if (++loc == 16) {
       loc = 0;
@@ -248,7 +248,8 @@ LogTimeStamp()
     mypid = getpid();
   ltime = time(0);
   ptm = localtime(&ltime);
-  sprintf(logptr, "%02d-%02d %02d:%02d:%02d [%d] ",
+  snprintf(logptr, sizeof(logbuff)-(logptr-logbuff),
+    "%02d-%02d %02d:%02d:%02d [%d] ",
     ptm->tm_mon + 1, ptm->tm_mday,
 	ptm->tm_hour, ptm->tm_min, ptm->tm_sec, mypid);
   logptr += strlen(logptr);
diff --git a/usr.sbin/ppp/main.c b/usr.sbin/ppp/main.c
index 75d78a5..cc0f7a1 100644
--- a/usr.sbin/ppp/main.c
+++ b/usr.sbin/ppp/main.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: main.c,v 1.25 1996/12/19 00:41:42 nate Exp $
+ * $Id: main.c,v 1.26 1996/12/22 17:29:31 jkh Exp $
  *
  *	TODO:
  *		o Add commands for traffic summary, version display, etc.
@@ -448,7 +448,7 @@ char **argv;
       snprintf(pid_filename, sizeof (pid_filename), "%s/ppp.tun%d.pid",
 		  _PATH_VARRUN, tunno);
       unlink(pid_filename);
-      sprintf(pid, "%d\n", (int)getpid());
+      snprintf(pid, sizeof(pid), "%d\n", (int)getpid());
 
       if ((fd = open(pid_filename, O_RDWR|O_CREAT, 0666)) != -1)
       {
diff --git a/usr.sbin/ppp/modem.c b/usr.sbin/ppp/modem.c
index a4fdcae..67aa08e 100644
--- a/usr.sbin/ppp/modem.c
+++ b/usr.sbin/ppp/modem.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: modem.c,v 1.25 1996/12/22 17:09:14 jkh Exp $
+ * $Id: modem.c,v 1.26 1996/12/22 17:29:32 jkh Exp $
  *
  *  TODO:
  */
@@ -384,7 +384,8 @@ int mode;
       modem = open(ctermid(NULL), O_RDWR|O_NONBLOCK);
   } else if (modem == 0) {
     if (strncmp(VarDevice, "/dev", 4) == 0) {
-      strcpy(uucplock, rindex(VarDevice, '/')+1);
+      strncpy(uucplock, rindex(VarDevice, '/')+1,sizeof(uucplock)-1);
+      uucplock[sizeof(uucplock)-1] = '\0';
       if (uu_lock(uucplock) < 0) {
         LogPrintf(LOG_PHASE_BIT, "Modem %s is in use\n", VarDevice);
         return(-1);
@@ -726,11 +727,12 @@ DialModem()
   char ScriptBuffer[200];
   int excode = 0;
 
-  strcpy(ScriptBuffer, VarDialScript);
+  strncpy(ScriptBuffer, VarDialScript,sizeof(ScriptBuffer)-1);
+  ScriptBuffer[sizeof(ScriptBuffer)-1] = '\0';
   if (DoChat(ScriptBuffer) > 0) {
     if ((mode & (MODE_INTER|MODE_AUTO)) == MODE_INTER)
       fprintf(stderr, "dial OK!\n");
-    strcpy(ScriptBuffer, VarLoginScript);
+    strncpy(ScriptBuffer, VarLoginScript,sizeof(ScriptBuffer)-1);
     if (DoChat(ScriptBuffer) > 0) {
       if ((mode & (MODE_INTER|MODE_AUTO)) == MODE_INTER)
 	fprintf(stderr, "login OK!\n");
diff --git a/usr.sbin/ppp/os.c b/usr.sbin/ppp/os.c
index 5998d0e..35d77b6 100644
--- a/usr.sbin/ppp/os.c
+++ b/usr.sbin/ppp/os.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: os.c,v 1.8 1996/12/10 17:00:38 wollman Exp $
+ * $Id: os.c,v 1.9 1997/01/03 20:19:43 wollman Exp $
  *
  */
 #include "fsm.h"
@@ -276,7 +276,7 @@ int *ptun;
   unsigned unit, enoentcount=0;
 
   for( unit=0; unit <= MAX_TUN ; unit++ ) {
-    sprintf( devname, "/dev/tun%d", unit );
+    snprintf( devname, sizeof(devname), "/dev/tun%d", unit );
     tun_out = open(devname, O_RDWR);
     if( tun_out >= 0 )
 	break;
@@ -297,13 +297,13 @@ int *ptun;
   /*
    * At first, name the interface.
    */
-  strcpy(ifname, devname + 5);
+  strncpy(ifname, devname + 5, IFNAMSIZ-1);
 
   bzero((char *)&ifra, sizeof(ifra));
   bzero((char *)&ifrq, sizeof(ifrq));
 
-  strncpy(ifrq.ifr_name, ifname, IFNAMSIZ);
-  strncpy(ifra.ifra_name, ifname, IFNAMSIZ);
+  strncpy(ifrq.ifr_name, ifname, IFNAMSIZ-1);
+  strncpy(ifra.ifra_name, ifname, IFNAMSIZ-1);
 
   s = socket(AF_INET, SOCK_DGRAM, 0);
   if (s < 0) {
diff --git a/usr.sbin/ppp/passwdauth.c b/usr.sbin/ppp/passwdauth.c
index 5413d43..5de62f7 100644
--- a/usr.sbin/ppp/passwdauth.c
+++ b/usr.sbin/ppp/passwdauth.c
@@ -96,7 +96,7 @@ char *name, *key;
     else
       (void)strncpy(utmp.ut_line, dstsystem, sizeof(utmp.ut_line));
 
-    (void)strcpy(utmp.ut_host, "auto-ppp" );
+    (void)strncpy(utmp.ut_host, "auto-ppp",sizeof(utmp.ut_host));
     login(&utmp);
     (void)setlogin( pwd->pw_name );