[Cluster-devel] [PATCH 22/41] cman: fix several virtually impossible buffer overflows

[Fabio M. Di Nitto <fdinitto@redhat.com>]

Spotted by Coverity Scan

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
---
:100644 100644 6b5640a... ea5020c... M	cman/daemon/ais.c
:100644 100644 37283ba... c356abe... M	cman/daemon/barrier.c
:100644 100644 d632c17... baf94df... M	cman/daemon/cman-preconfig.c
:100644 100644 d3009d0... 7eb52e4... M	cman/daemon/cmanconfig.c
:100644 100644 6b61332... f397234... M	cman/daemon/commands.c
 cman/daemon/ais.c            |    2 +-
 cman/daemon/barrier.c        |    6 +-
 cman/daemon/cman-preconfig.c |  114 +++++++++++++++++++++---------------------
 cman/daemon/cmanconfig.c     |    2 +-
 cman/daemon/commands.c       |   18 +++---
 5 files changed, 71 insertions(+), 71 deletions(-)

diff --git a/cman/daemon/ais.c b/cman/daemon/ais.c
index 6b5640a..ea5020c 100644
--- a/cman/daemon/ais.c
+++ b/cman/daemon/ais.c
@@ -213,7 +213,7 @@ static int cman_exec_init_fn(struct corosync_api_v1 *api)
 	cman_init(api);
 
 	/* Let cman_tool know we are running and our PID */
-	sprintf(pipe_msg,"SUCCESS: %d", getpid());
+	snprintf(pipe_msg, sizeof(pipe_msg) - 1,"SUCCESS: %d", getpid());
 	write_cman_pipe(pipe_msg);
 	close(startup_pipe);
 	startup_pipe = 0;
diff --git a/cman/daemon/barrier.c b/cman/daemon/barrier.c
index 37283ba..c356abe 100644
--- a/cman/daemon/barrier.c
+++ b/cman/daemon/barrier.c
@@ -101,7 +101,7 @@ static void check_barrier_complete_phase1(struct cl_barrier *barrier)
 
 		bmsg.cmd = CLUSTER_MSG_BARRIER;
 		bmsg.subcmd = BARRIER_COMPLETE;
-		strcpy(bmsg.name, barrier->name);
+		strncpy(bmsg.name, barrier->name, MAX_BARRIER_NAME_LEN - 1);
 
 		log_printf(LOGSYS_LEVEL_DEBUG, "barrier: Sending COMPLETE for %s\n", barrier->name);
 		comms_send_message((char *) &bmsg, sizeof (bmsg),
@@ -160,7 +160,7 @@ static struct cl_barrier *alloc_barrier(char *name, int nodes)
 	}
 	memset(barrier, 0, sizeof (*barrier));
 
-	strcpy(barrier->name, name);
+	strncpy(barrier->name, name, MAX_BARRIER_NAME_LEN - 1);
 	barrier->flags = 0;
 	barrier->expected_nodes = nodes;
 	barrier->got_nodes = 0;
@@ -268,7 +268,7 @@ static int barrier_setattr_enabled(struct cl_barrier *barrier,
 		/* Send it to the rest of the cluster */
 		bmsg.cmd = CLUSTER_MSG_BARRIER;
 		bmsg.subcmd = BARRIER_WAIT;
-		strcpy(bmsg.name, barrier->name);
+		strncpy(bmsg.name, barrier->name, MAX_BARRIER_NAME_LEN - 1);
 
 		barrier->waitsent = 1;
 		barrier->phase = 1;
diff --git a/cman/daemon/cman-preconfig.c b/cman/daemon/cman-preconfig.c
index d632c17..baf94df 100644
--- a/cman/daemon/cman-preconfig.c
+++ b/cman/daemon/cman-preconfig.c
@@ -302,14 +302,14 @@ static int add_ifaddr(struct objdb_iface_ver0 *objdb, char *mcast, char *ifaddr,
 	/* Check the families match */
 	if (address_family(mcast, &mcast_addr, 0) !=
 	    address_family(ifaddr, &if_addr, mcast_addr.ss_family)) {
-		sprintf(error_reason, "Node address family does not match multicast address family");
+		snprintf(error_reason, sizeof(error_reason) - 1, "Node address family does not match multicast address family");
 		return -1;
 	}
 
 	/* Check it's not bound to localhost, sigh */
 	get_localhost(if_addr.ss_family, &localhost);
 	if (ipaddr_equal(&localhost, &if_addr)) {
-		sprintf(error_reason, "Node name resolves to localhost, please check /etc/hosts and assign this node a network IP address");
+		snprintf(error_reason, sizeof(error_reason) - 1, "Node name resolves to localhost, please check /etc/hosts and assign this node a network IP address");
 		return -1;
 	}
 
@@ -325,7 +325,7 @@ static int add_ifaddr(struct objdb_iface_ver0 *objdb, char *mcast, char *ifaddr,
 			objdb->object_key_create_typed(totem_object_handle, "transport",
 				tx_mech_to_str[transport], strlen(tx_mech_to_str[transport]) + 1, OBJDB_VALUETYPE_STRING);
 		} else {
-			sprintf(error_reason, "Transport should not be specified within <totem .../>, use <cman transport=\"...\" /> instead");
+			snprintf(error_reason, sizeof(error_reason) - 1, "Transport should not be specified within <totem .../>, use <cman transport=\"...\" /> instead");
 			return -1;
 		}
 	}
@@ -336,7 +336,7 @@ static int add_ifaddr(struct objdb_iface_ver0 *objdb, char *mcast, char *ifaddr,
 		struct sockaddr_in6 *in6= (struct sockaddr_in6 *)&if_addr;
 		void *addrptr;
 
-		sprintf(tmp, "%d", num_interfaces);
+		snprintf(tmp, sizeof(tmp) - 1, "%d", num_interfaces);
 		objdb->object_key_create_typed(interface_object_handle, "ringnumber",
 					       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 
@@ -363,19 +363,19 @@ static int add_ifaddr(struct objdb_iface_ver0 *objdb, char *mcast, char *ifaddr,
 			break;
 		}
 
-		sprintf(tmp, "%d", port);
+		snprintf(tmp, sizeof(tmp) - 1, "%d", port);
 		objdb->object_key_create_typed(interface_object_handle, "mcastport",
 					       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 
 		/* paranoia check. corosync already does it */
 		if ((ttl < 0) || (ttl > 255)) {
-			sprintf(error_reason, "TTL value (%u) out of range (0 - 255)", ttl);
+			snprintf(error_reason, sizeof(error_reason) - 1, "TTL value (%u) out of range (0 - 255)", ttl);
 			return -1;
 		}
 
 		/* add the key to the objdb only if value is not default */
 		if (ttl != 1) {
-			sprintf(tmp, "%d", ttl);
+			snprintf(tmp, sizeof(tmp) - 1, "%d", ttl);
 			objdb->object_key_create_typed(interface_object_handle, "ttl",
 						       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 		}
@@ -412,7 +412,7 @@ static char *default_mcast(char *node, int altiface)
 	   default a multicast address */
         ret = getaddrinfo(node, NULL, &ahints, &ainfo);
 	if (ret) {
-		sprintf(error_reason, "Can't determine address family of nodename %s\n", node);
+		snprintf(error_reason, sizeof(error_reason) - 1, "Can't determine address family of nodename %s\n", node);
 		write_cman_pipe("Can't determine address family of nodename");
 		return NULL;
 	}
@@ -448,13 +448,13 @@ static int verify_nodename(struct objdb_iface_ver0 *objdb, char *node)
 		return 0;
 
 	/* If nodename was from uname, try a domain-less version of it */
-	strcpy(nodename2, node);
+	strncpy(nodename2, node, sizeof(nodename2) - 1);
 	dot = strchr(nodename2, '.');
 	if (dot) {
 		*dot = '\0';
 
 		if (nodelist_byname(objdb, cluster_parent_handle, nodename2)) {
-			strcpy(node, nodename2);
+			strncpy(node, nodename2, MAX_CLUSTER_MEMBER_NAME_LEN - 1);
 			return 0;
 		}
 	}
@@ -466,12 +466,12 @@ static int verify_nodename(struct objdb_iface_ver0 *objdb, char *node)
 		int len;
 
 		if (objdb_get_string(objdb, nodes_handle, "name", &str)) {
-			sprintf(error_reason, "Cannot get node name");
+			snprintf(error_reason, sizeof(error_reason) - 1, "Cannot get node name");
 			nodes_handle = nodeslist_next(objdb, find_handle);
 			continue;
 		}
 
-		strcpy(nodename3, str);
+		strncpy(nodename3, str, sizeof(nodename3) - 1);
 		dot = strchr(nodename3, '.');
 		if (dot)
 			len = dot-nodename3;
@@ -480,7 +480,7 @@ static int verify_nodename(struct objdb_iface_ver0 *objdb, char *node)
 
 		if (strlen(nodename2) == len &&
 		    !strncmp(nodename2, nodename3, len)) {
-			strcpy(node, str);
+			strncpy(node, str, sizeof(nodename) - 1);
 			return 0;
 		}
 		nodes_handle = nodeslist_next(objdb, find_handle);
@@ -499,7 +499,7 @@ static int verify_nodename(struct objdb_iface_ver0 *objdb, char *node)
 		socklen_t salen = 0;
 
 		/* Restore this */
-		strcpy(nodename2, node);
+		strncpy(nodename2, node, sizeof(nodename2) - 1);
 		sa = ifa->ifa_addr;
 		if (!sa)
 			continue;
@@ -516,7 +516,7 @@ static int verify_nodename(struct objdb_iface_ver0 *objdb, char *node)
 		if (!error) {
 
 			if (nodelist_byname(objdb, cluster_parent_handle, nodename2)) {
-				strcpy(node, nodename2);
+				strncpy(node, nodename2, sizeof(nodename) - 1);
 				goto out;
 			}
 
@@ -526,7 +526,7 @@ static int verify_nodename(struct objdb_iface_ver0 *objdb, char *node)
 				*dot = '\0';
 
 				if (nodelist_byname(objdb, cluster_parent_handle, nodename2)) {
-					strcpy(node, nodename2);
+					strncpy(node, nodename2, sizeof(nodename) - 1);
 					goto out;
 				}
 			}
@@ -539,7 +539,7 @@ static int verify_nodename(struct objdb_iface_ver0 *objdb, char *node)
 			continue;
 
 		if (nodelist_byname(objdb, cluster_parent_handle, nodename2)) {
-			strcpy(node, nodename2);
+			strncpy(node, nodename2, sizeof(nodename) - 1);
 			goto out;
 		}
 	}
@@ -626,16 +626,16 @@ static int get_nodename(struct objdb_iface_ver0 *objdb)
 		/* our nodename */
 		if (nodename_env != NULL) {
 			if (strlen(nodename_env) >= sizeof(nodename)) {
-				sprintf(error_reason, "Overridden node name %s is too long", nodename);
+				snprintf(error_reason, sizeof(error_reason) - 1, "Overridden node name %s is too long", nodename);
 				write_cman_pipe("Overridden node name is too long");
 				error = -1;
 				goto out;
 			}
 
-			strcpy(nodename, nodename_env);
+			strncpy(nodename, nodename_env, sizeof(nodename) - 1);
 
 			if (!(node_object_handle = nodelist_byname(objdb, cluster_parent_handle, nodename))) {
-				sprintf(error_reason, "Overridden node name %s is not in CCS", nodename);
+				snprintf(error_reason, sizeof(error_reason) - 1, "Overridden node name %s is not in CCS", nodename);
 				write_cman_pipe("Overridden node name is not in CCS");
 				error = -1;
 				goto out;
@@ -646,20 +646,20 @@ static int get_nodename(struct objdb_iface_ver0 *objdb)
 
 			error = uname(&utsname);
 			if (error) {
-				sprintf(error_reason, "cannot get node name, uname failed");
+				snprintf(error_reason, sizeof(error_reason) - 1, "cannot get node name, uname failed");
 				write_cman_pipe("Can't determine local node name, uname failed");
 				error = -1;
 				goto out;
 			}
 
 			if (strlen(utsname.nodename) >= sizeof(nodename)) {
-				sprintf(error_reason, "node name from uname is too long");
+				snprintf(error_reason, sizeof(error_reason) - 1, "node name from uname is too long");
 				write_cman_pipe("local node name is too long");
 				error = -1;
 				goto out;
 			}
 
-			strcpy(nodename, utsname.nodename);
+			strncpy(nodename, utsname.nodename, sizeof(nodename) - 1);
 		}
 		if (verify_nodename(objdb, nodename)) {
 			write_cman_pipe("Cannot find node name in cluster.conf");
@@ -671,7 +671,7 @@ static int get_nodename(struct objdb_iface_ver0 *objdb)
 	/* Add <cman> bits to pass down to the main module*/
 	if ( (node_object_handle = nodelist_byname(objdb, cluster_parent_handle, nodename))) {
 		if (objdb_get_string(objdb, node_object_handle, "nodeid", &nodeid_str)) {
-			sprintf(error_reason, "This node has no nodeid in cluster.conf");
+			snprintf(error_reason, sizeof(error_reason) - 1, "This node has no nodeid in cluster.conf");
 			write_cman_pipe("This node has no nodeid in cluster.conf");
 			return -1;
 		}
@@ -711,7 +711,7 @@ static int get_nodename(struct objdb_iface_ver0 *objdb)
 	objdb->object_find_destroy(find_handle);
 
 	if (!nodeid_str) {
-		sprintf(error_reason, "This node has no nodeid in cluster.conf");
+		snprintf(error_reason, sizeof(error_reason) - 1, "This node has no nodeid in cluster.conf");
 		write_cman_pipe("This node has no nodeid in cluster.conf");
 		return -1;
 	}
@@ -746,7 +746,7 @@ static int get_nodename(struct objdb_iface_ver0 *objdb)
 			if (transport != TX_MECH_UDPB) {
 				transport = TX_MECH_UDPU;
 			} else {
-				sprintf(error_reason, "Transport and broadcast option are mutually exclusive");
+				snprintf(error_reason, sizeof(error_reason) - 1, "Transport and broadcast option are mutually exclusive");
 				write_cman_pipe("Transport and broadcast option are mutually exclusive");
 				return -1;
 			}
@@ -754,12 +754,12 @@ static int get_nodename(struct objdb_iface_ver0 *objdb)
 			if (transport != TX_MECH_UDPB) {
 				transport = TX_MECH_RDMA;
 			} else {
-				sprintf(error_reason, "Transport and broadcast option are mutually exclusive");
+				snprintf(error_reason, sizeof(error_reason) - 1, "Transport and broadcast option are mutually exclusive");
 				write_cman_pipe("Transport and broadcast option are mutually exclusive");
 				return -1;
 			}
 		} else {
-			sprintf(error_reason, "Transport option value can be one of udp, udpb, udpu, rdma");
+			snprintf(error_reason, sizeof(error_reason) - 1, "Transport option value can be one of udp, udpb, udpu, rdma");
 			write_cman_pipe("Transport option value can be one of udp, udpb, udpu, rdma");
 			return -1;
 		}
@@ -931,7 +931,7 @@ static void add_cman_overrides(struct objdb_iface_ver0 *objdb)
 		objdb->object_key_create_typed(object_handle, "version",
 					       "2", 2, OBJDB_VALUETYPE_STRING);
 
-		sprintf(tmp, "%d", nodeid);
+		snprintf(tmp, sizeof(tmp) - 1, "%d", nodeid);
 		objdb->object_key_create_typed(object_handle, "nodeid",
 					       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 
@@ -941,7 +941,7 @@ static void add_cman_overrides(struct objdb_iface_ver0 *objdb)
 		/* Set the token timeout is 10 seconds, but don't overrride anything that
 		   might be in cluster.conf */
 		if (objdb_get_string(objdb, object_handle, "token", &value)) {
-			snprintf(tmp, sizeof(tmp), "%d", DEFAULT_TOKEN_TIMEOUT);
+			snprintf(tmp, sizeof(tmp) - 1, "%d", DEFAULT_TOKEN_TIMEOUT);
 			objdb->object_key_create_typed(object_handle, "token",
 						       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 		}
@@ -976,7 +976,7 @@ static void add_cman_overrides(struct objdb_iface_ver0 *objdb)
 		if (objdb_get_string(objdb, object_handle, "consensus", &value)) {
 			unsigned int token=0;
 			unsigned int consensus;
-			char calc_consensus[32];
+			char calc_consensus[64];
 
 			objdb_get_int(objdb, object_handle, "token", &token, DEFAULT_TOKEN_TIMEOUT);
 
@@ -990,7 +990,7 @@ static void add_cman_overrides(struct objdb_iface_ver0 *objdb)
 					consensus = 2000;
 			}
 
-			snprintf(calc_consensus, sizeof(calc_consensus), "%d", consensus);
+			snprintf(calc_consensus, sizeof(calc_consensus) - 1, "%d", consensus);
 			objdb->object_key_create_typed(object_handle, "consensus",
 						       calc_consensus, strlen(calc_consensus)+1, OBJDB_VALUETYPE_STRING);
 		}
@@ -1015,7 +1015,7 @@ static void add_cman_overrides(struct objdb_iface_ver0 *objdb)
 		}
 
 		if (objdb_get_string(objdb, object_handle, "secauth", &value)) {
-			sprintf(tmp, "%d", 1);
+			snprintf(tmp, sizeof(tmp) - 1, "%d", 1);
 			objdb->object_key_create_typed(object_handle, "secauth",
 						       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 		}
@@ -1067,13 +1067,13 @@ static void add_cman_overrides(struct objdb_iface_ver0 *objdb)
 	{
 		char str[255];
 
-		sprintf(str, "%d", cluster_id);
+		snprintf(str, sizeof(str) - 1, "%d", cluster_id);
 
 		objdb->object_key_create_typed(object_handle, "cluster_id",
 					       str, strlen(str) + 1, OBJDB_VALUETYPE_STRING);
 
 		if (two_node) {
-			sprintf(str, "%d", 1);
+			snprintf(str, sizeof(str) - 1, "%d", 1);
 			objdb->object_key_create_typed(object_handle, "two_node",
 						       str, strlen(str) + 1, OBJDB_VALUETYPE_STRING);
 		}
@@ -1118,7 +1118,7 @@ static int set_noccs_defaults(struct objdb_iface_ver0 *objdb)
 	/* Enforce key */
 	key_filename = strdup(NOCCS_KEY_FILENAME);
 	if (!key_filename) {
-		sprintf(error_reason, "cannot allocate memory for key file name");
+		snprintf(error_reason, sizeof(error_reason) - 1, "cannot allocate memory for key file name");
 		write_cman_pipe("cannot allocate memory for key file name");
 		return -1;
 	}
@@ -1127,7 +1127,7 @@ static int set_noccs_defaults(struct objdb_iface_ver0 *objdb)
 		cluster_name = strdup(DEFAULT_CLUSTER_NAME);
 
 	if (!cluster_name) {
-		sprintf(error_reason, "cannot allocate memory for cluster_name");
+		snprintf(error_reason, sizeof(error_reason) - 1, "cannot allocate memory for cluster_name");
 		write_cman_pipe("cannot allocate memory for cluster_name");
 		return -1;
 	}
@@ -1138,7 +1138,7 @@ static int set_noccs_defaults(struct objdb_iface_ver0 *objdb)
 	    else
 	        cluster_id = generate_cluster_id(cluster_name);
 
-	    sprintf(error_reason, "Generated cluster id for '%s' is %d\n", cluster_name, cluster_id);
+	    snprintf(error_reason, sizeof(error_reason) - 1, "Generated cluster id for '%s' is %d\n", cluster_name, cluster_id);
 	}
 
 	if (!nodename_env) {
@@ -1147,14 +1147,14 @@ static int set_noccs_defaults(struct objdb_iface_ver0 *objdb)
 
 		error = uname(&utsname);
 		if (error) {
-			sprintf(error_reason, "cannot get node name, uname failed");
+			snprintf(error_reason, sizeof(error_reason) - 1, "cannot get node name, uname failed");
 			write_cman_pipe("Can't determine local node name");
 			return -1;
 		}
 
 		nodename_env = (char *)&utsname.nodename;
 	}
-	strcpy(nodename, nodename_env);
+	strncpy(nodename, nodename_env, sizeof(nodename) - 1);
 	num_nodenames = 1;
 
 	if (!mcast_name) {
@@ -1179,7 +1179,7 @@ static int set_noccs_defaults(struct objdb_iface_ver0 *objdb)
 		memset(&ahints, 0, sizeof(ahints));
 		ret = getaddrinfo(nodename, NULL, &ahints, &ainfo);
 		if (ret) {
-			sprintf(error_reason, "Can't determine address family of nodename %s\n", nodename);
+			snprintf(error_reason, sizeof(error_reason) - 1, "Can't determine address family of nodename %s\n", nodename);
 			write_cman_pipe("Can't determine address family of nodename");
 			return -1;
 		}
@@ -1203,11 +1203,11 @@ static int set_noccs_defaults(struct objdb_iface_ver0 *objdb)
 	objdb->object_key_create_typed(object_handle, "name",
 				       nodename, strlen(nodename)+1, OBJDB_VALUETYPE_STRING);
 
-	sprintf(tmp, "%d", votes);
+	snprintf(tmp, sizeof(tmp) - 1, "%d", votes);
 	objdb->object_key_create_typed(object_handle, "votes",
 				       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 
-	sprintf(tmp, "%d", nodeid);
+	snprintf(tmp, sizeof(tmp) - 1, "%d", nodeid);
 	objdb->object_key_create_typed(object_handle, "nodeid",
 				       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 
@@ -1222,11 +1222,11 @@ static int set_noccs_defaults(struct objdb_iface_ver0 *objdb)
                 objdb->object_create(cluster_parent_handle, &object_handle,
                                             "cman", strlen("cman"));
         }
-	sprintf(tmp, "%d", cluster_id);
+	snprintf(tmp, sizeof(tmp) - 1, "%d", cluster_id);
 	objdb->object_key_create_typed(object_handle, "cluster_id",
 				       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 
-	sprintf(tmp, "%d", expected_votes);
+	snprintf(tmp, sizeof(tmp) - 1, "%d", expected_votes);
 	objdb->object_key_create_typed(object_handle, "expected_votes",
 				       tmp, strlen(tmp)+1, OBJDB_VALUETYPE_STRING);
 
@@ -1269,7 +1269,7 @@ static int copy_config_tree(struct objdb_iface_ver0 *objdb, hdb_handle_t source_
 	/* Create sub-objects */
 	res = objdb->object_find_create(source_object, NULL, 0, &find_handle);
 	if (res) {
-		sprintf(error_reason, "error resetting object iterator for object %ud: %d\n", (unsigned int)source_object, res);
+		snprintf(error_reason, sizeof(error_reason) - 1, "error resetting object iterator for object %ud: %d\n", (unsigned int)source_object, res);
 		return -1;
 	}
 
@@ -1310,13 +1310,13 @@ static int get_cman_globals(struct objdb_iface_ver0 *objdb)
 
 	objdb_get_string(objdb, cluster_parent_handle, "name", &cluster_name);
 	if (!cluster_name) {
-		sprintf(error_reason, "Unable to determine cluster name.\n");
+		snprintf(error_reason, sizeof(error_reason) - 1, "Unable to determine cluster name.\n");
 		write_cman_pipe("Unable to determine cluster name.\n");
 		return -1;
 	}
 
 	if (strlen(cluster_name) > 15) {
-		sprintf(error_reason, "%s\n", "Invalid cluster name. It must be 15 characters or fewer\n");
+		snprintf(error_reason, sizeof(error_reason) - 1, "Invalid cluster name. It must be 15 characters or fewer\n\n");
 		write_cman_pipe("Invalid cluster name. It must be 15 characters or fewer\n");
 		return -1;
 	}
@@ -1345,7 +1345,7 @@ static int get_cman_globals(struct objdb_iface_ver0 *objdb)
 		    else
 		        cluster_id = generate_cluster_id(cluster_name);
 
-		    sprintf(error_reason, "Generated cluster id for '%s' is %d\n", cluster_name, cluster_id);
+		    snprintf(error_reason, sizeof(error_reason) - 1, "Generated cluster id for '%s' is %d\n", cluster_name, cluster_id);
 		}
 	}
 	objdb->object_find_destroy(find_handle);
@@ -1363,7 +1363,7 @@ static int cmanpre_reloadconfig(struct objdb_iface_ver0 *objdb, int flush, const
 
 	/* don't reload if we've been told to run configless */
 	if (getenv("CMAN_NOCONFIG")) {
-		sprintf(error_reason, "Config not updated because we were run with cman_tool -X");
+		snprintf(error_reason, sizeof(error_reason) - 1, "Config not updated because we were run with cman_tool -X");
 		ret = 0;
 		goto err;
 	}
@@ -1372,12 +1372,12 @@ static int cmanpre_reloadconfig(struct objdb_iface_ver0 *objdb, int flush, const
 	objdb->object_find_create(OBJECT_PARENT_HANDLE, "cluster", strlen("cluster"), &find_handle);
 	objdb->object_find_next(find_handle, &cluster_parent_handle);
 	if (!cluster_parent_handle) {
-		sprintf (error_reason, "%s", "Cannot find old /cluster/ key in configuration\n");
+		snprintf (error_reason, sizeof(error_reason) - 1, "Cannot find old /cluster/ key in configuration\n");
 		goto err;
 	}
 	objdb->object_find_next(find_handle, &cluster_parent_handle_new);
 	if (!cluster_parent_handle_new) {
-		sprintf (error_reason, "%s", "Cannot find new /cluster/ key in configuration\n");
+		snprintf (error_reason, sizeof(error_reason) - 1, "Cannot find new /cluster/ key in configuration\n");
 		goto err;
 	}
 	objdb->object_find_destroy(find_handle);
@@ -1387,7 +1387,7 @@ static int cmanpre_reloadconfig(struct objdb_iface_ver0 *objdb, int flush, const
 			config_version = atoi(config_value);
 		} else {
 			/* it should never ever happen.. */
-			sprintf (error_reason, "%s", "Cannot find old /cluster/config_version key in configuration\n");
+			snprintf (error_reason, sizeof(error_reason) - 1, "Cannot find old /cluster/config_version key in configuration\n");
 			goto err;
 		}
 	}
@@ -1399,14 +1399,14 @@ static int cmanpre_reloadconfig(struct objdb_iface_ver0 *objdb, int flush, const
 			config_version_new = atoi(config_value);
 		} else {
 			objdb->object_destroy(cluster_parent_handle_new);
-			sprintf (error_reason, "%s", "Cannot find new /cluster/config_version key in configuration\n");
+			snprintf (error_reason, sizeof(error_reason) - 1,"Cannot find new /cluster/config_version key in configuration\n");
 			goto err;
 		}
 	}
 
 	if (config_version_new <= config_version) {
 		objdb->object_destroy(cluster_parent_handle_new);
-		sprintf (error_reason, "%s", "New configuration version has to be newer than current running configuration\n");
+		snprintf (error_reason, sizeof(error_reason) - 1, "New configuration version has to be newer than current running configuration\n");
 		goto err;
 	}
 
@@ -1600,11 +1600,11 @@ static int cmanpre_readconfig(struct objdb_iface_ver0 *objdb, const char **error
 
 
 	if (!ret) {
-		sprintf (error_reason, "%s", "Successfully parsed cman config\n");
+		snprintf(error_reason, sizeof(error_reason) - 1, "Successfully parsed cman config\n");
 	}
 	else {
 		if (error_reason[0] == '\0')
-			sprintf (error_reason, "%s", "Error parsing cman config\n");
+			snprintf(error_reason, sizeof(error_reason) - 1, "Error parsing cman config\n");
 	}
         *error_string = error_reason;
 
diff --git a/cman/daemon/cmanconfig.c b/cman/daemon/cmanconfig.c
index d3009d0..7eb52e4 100644
--- a/cman/daemon/cmanconfig.c
+++ b/cman/daemon/cmanconfig.c
@@ -175,7 +175,7 @@ static int get_cman_join_info(struct corosync_api_v1 *corosync)
 		goto out;
 	}
 
-	strcpy(cluster_name, cname);
+	strncpy(cluster_name, cname, sizeof(cluster_name) - 1);
 
 	expected_votes = 0;
 	if (getenv("CMAN_EXPECTEDVOTES")) {
diff --git a/cman/daemon/commands.c b/cman/daemon/commands.c
index 6b61332..f397234 100644
--- a/cman/daemon/commands.c
+++ b/cman/daemon/commands.c
@@ -396,7 +396,7 @@ static void copy_to_usernode(struct cluster_node *node,
 	struct totem_ip_address node_ifs[INTERFACE_MAX];
 	/* totempg_ifaces_get always copies INTERFACE_MAX addresses */
 
-	strcpy(unode->name, node->name);
+	strncpy(unode->name, node->name, MAX_CLUSTER_MEMBER_NAME_LEN - 1);
 	unode->jointime = node->join_time;
 	unode->size = sizeof(struct cl_cluster_node);
 	unode->votes = node->votes;
@@ -421,7 +421,7 @@ int cman_set_nodename(char *name)
 	if (ais_running)
 		return -EALREADY;
 
-	strncpy(nodename, name, MAX_CLUSTER_MEMBER_NAME_LEN);
+	strncpy(nodename, name, MAX_CLUSTER_MEMBER_NAME_LEN - 1);
 	return 0;
 }
 
@@ -1401,7 +1401,7 @@ static int do_cmd_update_fence_info(char *cmdbuf)
 	fence_msg->nodeid = f->nodeid;
 	fence_msg->timesec = f->fence_time;
 	fence_msg->fenced = 1;
-	strcpy(fence_msg->agent, f->fence_agent);
+	strncpy(fence_msg->agent, f->fence_agent, MAX_FENCE_AGENT_NAME_LEN - 1);
 	comms_send_message(msg, sizeof(msg), 0,0, 0, 0);
 
 	log_printf(LOGSYS_LEVEL_DEBUG, "memb: node %d fenced by %s\n", f->nodeid, f->fence_agent);
@@ -1428,7 +1428,7 @@ static int do_cmd_get_fence_info(char *cmdbuf, char **retbuf, int retsize, int *
 	f->flags = node->flags&NODE_FLAGS_FENCED;
 
 	if (node->fence_agent)
-		strcpy(f->fence_agent, node->fence_agent);
+		strncpy(f->fence_agent, node->fence_agent, MAX_FENCE_AGENT_NAME_LEN - 1);
 	else
 		f->fence_agent[0] = '\0';
 	*retlen = sizeof(struct cl_fence_info);
@@ -1867,10 +1867,10 @@ void send_transition_msg(int last_memb_count, int first_trans)
 	msg->flags = us->flags;
 	msg->fence_time = us->fence_time;
 	msg->join_time = join_time;
-	strcpy(msg->clustername, cluster_name);
+	memcpy(msg->clustername, cluster_name, MAX_CLUSTER_NAME_LEN);
 	if (us->fence_agent)
 	{
-		strcpy(msg->fence_agent, us->fence_agent);
+		strncpy(msg->fence_agent, us->fence_agent, MAX_FENCE_AGENT_NAME_LEN - 1);
 		len += strlen(us->fence_agent)+1;
 	}
 	else
@@ -2128,7 +2128,7 @@ static void do_process_transition(int nodeid, char *data)
 		fence_msg->nodeid = nodeid;
 		fence_msg->timesec = node->fence_time;
 		fence_msg->fenced = 0;
-		strcpy(fence_msg->agent, node->fence_agent);
+		strncpy(fence_msg->agent, node->fence_agent, MAX_FENCE_AGENT_NAME_LEN - 1);
 		comms_send_message(fencemsg, sizeof(fencemsg), 0,0, nodeid, 0);
 	}
 }
@@ -2307,7 +2307,7 @@ void add_ais_node(int nodeid, uint64_t incar, int total_members)
 		log_printf(LOG_ERR, "Got node from AIS id %d with no config entry\n", nodeid);
 
 		/* Emergency nodename */
-		sprintf(tempname, "Node%d", nodeid);
+		snprintf(tempname, sizeof(tempname) - 1, "Node%d", nodeid);
 		node = add_new_node(tempname, nodeid, 1, total_members, NODESTATE_DEAD);
 		if (!node) {
 			log_printf(LOG_ERR, "Unable to add newnode!\n");
@@ -2432,7 +2432,7 @@ static const char *killmsg_reason(int reason)
 		return "we rejoined the cluster without a full restart";
 
 	default:
-		sprintf(msg, "we got kill message number %d", reason);
+		snprintf(msg, sizeof(msg) - 1, "we got kill message number %d", reason);
 		return msg;
 	}
 }
-- 
1.7.4.4