--- cfs_adm.c.orig	Mon Dec 25 10:41:30 1995
+++ cfs_adm.c	Sat Mar 12 21:31:43 2005
@@ -49,6 +49,7 @@
 	int i;
 	cfskey tk;
 	instance *ins;
+	int l;
 
 #ifdef DEBUG
 	printf("attach: %s %s %d\n",ap->dirname, ap->name, ap->anon);
@@ -86,12 +87,17 @@
 		ret=CFSERR_IFULL;
 		return &ret;
 	}
-	topinstance=i;
-	instances[i]=ins;
 	ins->id=i;
 	for (i=0; i<HSIZE; i++)
 		ins->file[i]=NULL;
 	ins->key.smsize = ap->smsize;
+	l = snprintf(ins->path, sizeof(ins->path), "%s/.", ap->dirname);
+	if (l < 0 || l >= sizeof(ins->path)) {
+		free(ins);
+		ret = CFSERR_IFULL;
+		return &ret;
+	}
+	(void)strlcpy(ins->name, ap->name, sizeof(ins->name));
 	if ((ins->key.primask=(char*) malloc(ins->key.smsize)) == NULL) {
 		free(ins);
 		ret = CFSERR_IFULL;
@@ -104,8 +110,6 @@
 		return &ret;
 	}
 	ins->anon=ap->anon;
-	sprintf(ins->path,"%s/.",ap->dirname);
-	strcpy(ins->name,ap->name);
 	copykey(&ap->key,&ins->key);
 	genmasks(&ins->key);
 	ins->uid=ap->uid;
@@ -121,6 +125,8 @@
 	bzero((char *)ins->check,8);
 	bcopy((char *)&roottime,(char *)ins->check,sizeof(roottime));
 	cipher(&ins->key,ins->check,0);
+	topinstance=ins->id;
+	instances[ins->id]=ins;
 	ret=CFS_OK;
 	return &ret;
 }
@@ -144,10 +150,10 @@
 	FILE *fp;
 
 	for (i=0; i < k->smsize; i+=CFSBLOCK) {
-		sprintf(start,"0%07x",i/CFSBLOCK);
+		(void)snprintf(start,sizeof(start),"0%07x",i/CFSBLOCK);
 		bcopy(start,&k->primask[i],CFSBLOCK);
 		mask_cipher(k,&k->primask[i],0);
-		sprintf(start,"1%07x",i/CFSBLOCK);
+		(void)snprintf(start,sizeof(start),"1%07x",i/CFSBLOCK);
 		bcopy(start,&k->secmask[i],CFSBLOCK);
 		mask_cipher(k,&k->secmask[i],0);
 	}
@@ -215,10 +221,13 @@
      cfs_admkey *k;
 {
 	FILE *fp;
-	char fn[1024];
+	char fn[NFS_MAXPATHLEN];
 	char buf[9];
+	int l;
 
-	sprintf(fn,"%s/...",path);
+	l = snprintf(fn, sizeof(fn), "%s/...", path);
+	if (l < 0 || l >= sizeof(fn))
+		return CFSERR_BADNAME;
 	if ((fp=fopen(fn,"r"))==NULL)
 		return CFSERR_NODIR;
 	if (fread(buf,8,1,fp)!=1) {