Index: external/bsd/ipf/dist/tools/ipmon.c
===================================================================
RCS file: /cvsroot/src/external/bsd/ipf/dist/tools/ipmon.c,v
retrieving revision 1.8
diff -p -u -u -r1.8 ipmon.c
--- external/bsd/ipf/dist/tools/ipmon.c	4 Feb 2018 08:19:42 -0000	1.8
+++ external/bsd/ipf/dist/tools/ipmon.c	3 Oct 2019 07:21:41 -0000
@@ -1097,7 +1097,7 @@ print_ipflog(config_t *conf, const iplog
 	{
 	char	ifname[sizeof(ipf.fl_ifname) + 1];
 
-	strncpy(ifname, ipf.fl_ifname, sizeof(ipf.fl_ifname));
+	strncpy(ifname, ipf.fl_ifname, sizeof(ifname)-1);
 	ifname[sizeof(ipf.fl_ifname)] = '\0';
 	sprintf(t, "%s", ifname);
 	t += strlen(t);
Index: sys/compat/sunos/sunos_misc.c
===================================================================
RCS file: /cvsroot/src/sys/compat/sunos/sunos_misc.c,v
retrieving revision 1.174
diff -p -u -u -r1.174 sunos_misc.c
--- sys/compat/sunos/sunos_misc.c	23 Sep 2019 21:07:50 -0000	1.174
+++ sys/compat/sunos/sunos_misc.c	3 Oct 2019 07:21:41 -0000
@@ -657,7 +657,7 @@ sunos_sys_uname(struct lwp *l, const str
 	memcpy(sut.nodename, hostname, sizeof(sut.nodename));
 	sut.nodename[sizeof(sut.nodename)-1] = '\0';
 	memcpy(sut.release, osrelease, sizeof(sut.release) - 1);
-	memcpy(sut.version, "1", sizeof(sut.version) - 1);
+	sut.version[0] = '1';
 	memcpy(sut.machine, machine, sizeof(sut.machine) - 1);
 
 	return copyout((void *)&sut, (void *)SCARG(uap, name),
Index: tests/fs/common/fstest_nfs.c
===================================================================
RCS file: /cvsroot/src/tests/fs/common/fstest_nfs.c,v
retrieving revision 1.10
diff -p -u -u -r1.10 fstest_nfs.c
--- tests/fs/common/fstest_nfs.c	1 Feb 2019 09:06:07 -0000	1.10
+++ tests/fs/common/fstest_nfs.c	3 Oct 2019 07:21:41 -0000
@@ -87,10 +87,12 @@ donewfs(const atf_tc_t *tc, void **argp,
 	 * First, we start the nfs service.
 	 */
 	srcdir = atf_tc_get_config_var(tc, "srcdir");
-	sprintf(nfsdpath, "%s/../nfs/nfsservice/rumpnfsd", srcdir);
-	sprintf(ethername, "/%s/%s.etherbus", getcwd(cwd, sizeof(cwd)), image);
-	sprintf(ethername_ro, "%s_ro", ethername);
-	sprintf(imagepath, "/%s/%s", cwd, image);
+	snprintf(nfsdpath, sizeof nfsdpath,
+	    "%s/../nfs/nfsservice/rumpnfsd", srcdir);
+	snprintf(ethername, sizeof ethername,
+	    "/%s/%s.etherbus", getcwd(cwd, sizeof(cwd)), image);
+	snprintf(ethername_ro, sizeof ethername_ro, "%s_ro", ethername);
+	snprintf(imagepath, sizeof imagepath, "/%s/%s", cwd, image);
 
 	nfsdargv[0] = nfsdpath;
 	nfsdargv[1] = ethername;
Index: tests/include/sys/t_socket.c
===================================================================
RCS file: /cvsroot/src/tests/include/sys/t_socket.c,v
retrieving revision 1.5
diff -p -u -u -r1.5 t_socket.c
--- tests/include/sys/t_socket.c	13 Jan 2017 21:30:41 -0000	1.5
+++ tests/include/sys/t_socket.c	3 Oct 2019 07:21:41 -0000
@@ -98,7 +98,7 @@ ATF_TC_BODY(cmsg_sendfd, tc)
 	memset(&sun, 0, sizeof(sun));
 	sun.sun_family = AF_LOCAL;
 #define SOCKPATH "/com"
-	strncpy(sun.sun_path, SOCKPATH, sizeof(SOCKPATH));
+	strncpy(sun.sun_path, SOCKPATH, sizeof(sun.sun_path) - 1);
 	s1 = rump_sys_socket(AF_LOCAL, SOCK_STREAM, 0);
 	if (s1 == -1)
 		atf_tc_fail_errno("socket 1");
@@ -114,7 +114,7 @@ ATF_TC_BODY(cmsg_sendfd, tc)
 	/* connect to unix domain socket */
 	memset(&sun, 0, sizeof(sun));
 	sun.sun_family = AF_LOCAL;
-	strncpy(sun.sun_path, SOCKPATH, sizeof(SOCKPATH));
+	strncpy(sun.sun_path, SOCKPATH, sizeof(sun.sun_path) - 1);
 	s2 = rump_sys_socket(AF_LOCAL, SOCK_STREAM, 0);
 	if (s2 == -1)
 		atf_tc_fail_errno("socket 2");
Index: usr.bin/make/arch.c
===================================================================
RCS file: /cvsroot/src/usr.bin/make/arch.c,v
retrieving revision 1.70
diff -p -u -u -r1.70 arch.c
--- usr.bin/make/arch.c	16 Apr 2017 20:49:09 -0000	1.70
+++ usr.bin/make/arch.c	3 Oct 2019 07:21:41 -0000
@@ -635,7 +635,8 @@ ArchStatMember(char *archive, char *memb
 	    arh.ar_size[sizeof(arh.ar_size)-1] = '\0';
 	    size = (int)strtol(arh.ar_size, NULL, 10);
 
-	    (void)strncpy(memName, arh.ar_name, sizeof(arh.ar_name));
+	    (void)strncpy(memName, arh.ar_name, sizeof(memName) - 1);
+	    memName[sizeof(memName) - 1] = '\0';
 	    for (cp = &memName[AR_MAX_NAME_LEN]; *cp == ' '; cp--) {
 		continue;
 	    }
Index: usr.bin/netstat/mroute.c
===================================================================
RCS file: /cvsroot/src/usr.bin/netstat/mroute.c,v
retrieving revision 1.25
diff -p -u -u -r1.25 mroute.c
--- usr.bin/netstat/mroute.c	6 Nov 2014 21:30:09 -0000	1.25
+++ usr.bin/netstat/mroute.c	3 Oct 2019 07:21:41 -0000
@@ -269,7 +269,7 @@ mroutepr(u_long mrpaddr, u_long mfchasht
 static void
 print_bw_meter(struct bw_meter *bw_meter, int *banner_printed)
 {
-	char s0[256], s1[256], s2[256], s3[256];
+	char s0[256*3], s1[256], s2[256], s3[256];
 	struct timeval now, end, delta;
 
 	gettimeofday(&now, NULL);
@@ -286,37 +286,37 @@ print_bw_meter(struct bw_meter *bw_meter
 
 	/* The measured values */
 	if (bw_meter->bm_flags & BW_METER_UNIT_PACKETS)
-		sprintf(s1, "%llu", (unsigned long long)bw_meter->bm_measured.b_packets);
+		snprintf(s1, sizeof s1, "%llu", (unsigned long long)bw_meter->bm_measured.b_packets);
 	else
-		sprintf(s1, "?");
+		snprintf(s1, sizeof s1, "?");
 	if (bw_meter->bm_flags & BW_METER_UNIT_BYTES)
-		sprintf(s2, "%llu", (unsigned long long)bw_meter->bm_measured.b_bytes);
+		snprintf(s2, sizeof s2, "%llu", (unsigned long long)bw_meter->bm_measured.b_bytes);
 	else
-		sprintf(s2, "?");
-	sprintf(s0, "%lld.%ld|%s|%s",
+		snprintf(s2, sizeof s2, "?");
+	snprintf(s0, sizeof s0, "%lld.%ld|%s|%s",
 		(long long)bw_meter->bm_start_time.tv_sec,
 		(long)bw_meter->bm_start_time.tv_usec,
 		s1, s2);
 	printf("  %-30s", s0);
 
 	/* The type of entry */
-	sprintf(s0, "%s", "?");
+	snprintf(s0, sizeof s0, "%s", "?");
 	if (bw_meter->bm_flags & BW_METER_GEQ)
-		sprintf(s0, "%s", ">=");
+		snprintf(s0, sizeof s0, "%s", ">=");
 	else if (bw_meter->bm_flags & BW_METER_LEQ)
-		sprintf(s0, "%s", "<=");
+		snprintf(s0, sizeof s0, "%s", "<=");
 	printf("  %-3s", s0);
 
 	/* The threshold values */
 	if (bw_meter->bm_flags & BW_METER_UNIT_PACKETS)
-		sprintf(s1, "%llu", (unsigned long long)bw_meter->bm_threshold.b_packets);
+		snprintf(s1, sizeof s1, "%llu", (unsigned long long)bw_meter->bm_threshold.b_packets);
 	else
-		sprintf(s1, "?");
+		snprintf(s1, sizeof s1, "?");
 	if (bw_meter->bm_flags & BW_METER_UNIT_BYTES)
-		sprintf(s2, "%llu", (unsigned long long)bw_meter->bm_threshold.b_bytes);
+		snprintf(s2, sizeof s2, "%llu", (unsigned long long)bw_meter->bm_threshold.b_bytes);
 	else
-		sprintf(s2, "?");
-	sprintf(s0, "%lld.%ld|%s|%s",
+		snprintf(s2, sizeof s2, "?");
+	snprintf(s0, sizeof s0, "%lld.%ld|%s|%s",
 		(long long)bw_meter->bm_threshold.b_time.tv_sec,
 		(long)bw_meter->bm_threshold.b_time.tv_usec,
 		s1, s2);
@@ -327,12 +327,12 @@ print_bw_meter(struct bw_meter *bw_meter
 		 &bw_meter->bm_threshold.b_time, &end);
 	if (timercmp(&now, &end, <=)) {
 		timersub(&end, &now, &delta);
-		sprintf(s3, "%lld.%ld",
+		snprintf(s3, sizeof s3, "%lld.%ld",
 		    (long long)delta.tv_sec, (long)delta.tv_usec);
 	} else {
 		/* Negative time */
 		timersub(&now, &end, &delta);
-		sprintf(s3, "-%lld.%ld",
+		snprintf(s3, sizeof s3, "-%lld.%ld",
 		    (long long)delta.tv_sec, (long)delta.tv_usec);
 	}
 	printf(" %s", s3);
Index: usr.bin/telnet/commands.c
===================================================================
RCS file: /cvsroot/src/usr.bin/telnet/commands.c,v
retrieving revision 1.76
diff -p -u -u -r1.76 commands.c
--- usr.bin/telnet/commands.c	5 Jan 2019 08:55:58 -0000	1.76
+++ usr.bin/telnet/commands.c	3 Oct 2019 07:21:41 -0000
@@ -2503,13 +2503,14 @@ cmdrc(const char *m1, const char *m2)
 	    if (isspace((unsigned char)line[0]))
 		continue;
 	    if (strncasecmp(line, m1, l1) == 0)
-		strncpy(line, &line[l1], sizeof(line) - l1);
+		memmove(line, &line[l1], sizeof(line) - l1 - 1);
 	    else if (strncasecmp(line, m2, l2) == 0)
-		strncpy(line, &line[l2], sizeof(line) - l2);
+		memmove(line, &line[l2], sizeof(line) - l2 - 1);
 	    else if (strncasecmp(line, "DEFAULT", 7) == 0)
-		strncpy(line, &line[7], sizeof(line) - 7);
+		memmove(line, &line[7], sizeof(line) - 7 - 1);
 	    else
 		continue;
+	    line[sizeof(line) - 1] = '\0';
 	    if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
 		continue;
 	    gotmachine = 1;
Index: usr.bin/who/utmpentry.c
===================================================================
RCS file: /cvsroot/src/usr.bin/who/utmpentry.c,v
retrieving revision 1.18
diff -p -u -u -r1.18 utmpentry.c
--- usr.bin/who/utmpentry.c	21 Nov 2015 15:01:43 -0000	1.18
+++ usr.bin/who/utmpentry.c	3 Oct 2019 07:21:41 -0000
@@ -283,9 +283,9 @@ getentry(struct utmpentry *e, struct utm
 	 * reason we use the size of the _source_ as the length
 	 * argument.
 	 */
-	(void)strncpy(e->name, up->ut_name, sizeof(up->ut_name));
-	(void)strncpy(e->line, up->ut_line, sizeof(up->ut_line));
-	(void)strncpy(e->host, up->ut_host, sizeof(up->ut_host));
+	(void)strncpy(e->name, up->ut_name, sizeof(e->name));
+	(void)strncpy(e->line, up->ut_line, sizeof(e->line));
+	(void)strncpy(e->host, up->ut_host, sizeof(e->host));
 
 	e->tv.tv_sec = up->ut_time;
 	e->tv.tv_usec = 0;
@@ -314,9 +314,9 @@ getentryx(struct utmpentry *e, struct ut
 	 * reason we use the size of the _source_ as the length
 	 * argument.
 	 */
-	(void)strncpy(e->name, up->ut_name, sizeof(up->ut_name));
-	(void)strncpy(e->line, up->ut_line, sizeof(up->ut_line));
-	(void)strncpy(e->host, up->ut_host, sizeof(up->ut_host));
+	(void)strncpy(e->name, up->ut_name, sizeof(e->name));
+	(void)strncpy(e->line, up->ut_line, sizeof(e->line));
+	(void)strncpy(e->host, up->ut_host, sizeof(e->host));
 
 	e->tv = up->ut_tv;
 	e->pid = up->ut_pid;
Index: usr.sbin/eeprom/eehandlers.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/eeprom/eehandlers.c,v
retrieving revision 1.18
diff -p -u -u -r1.18 eehandlers.c
--- usr.sbin/eeprom/eehandlers.c	2 Jul 2013 11:59:46 -0000	1.18
+++ usr.sbin/eeprom/eehandlers.c	3 Oct 2019 07:21:41 -0000
@@ -530,7 +530,7 @@ doio(const struct keytabent *ktent, u_ch
 
 	buf2 = (u_char *)calloc(1, len);
 	if (buf2 == NULL) {
-		memcpy(err_str, "memory allocation failed", sizeof err_str);
+		snprintf(err_str, sizeof err_str, "memory allocation failed");
 		return (1);
 	}
 
Index: usr.sbin/sup/source/scan.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/sup/source/scan.c,v
retrieving revision 1.32
diff -p -u -u -r1.32 scan.c
--- usr.sbin/sup/source/scan.c	12 Mar 2016 02:26:40 -0000	1.32
+++ usr.sbin/sup/source/scan.c	3 Oct 2019 07:21:41 -0000
@@ -931,7 +931,7 @@ chkscanfile(char *scanfile)
 	if (scanfile == NULL)
 		scanfile = FILESCANDEF;
 	(void) sprintf(fname, FILESCAN, collname, scanfile);
-	(void) sprintf(tname, "%s.temp", fname);
+	(void) snprintf(tname, sizeof tname,  "%s.temp", fname);
 	if (NULL == (f = fopen(tname, "w")))
 		goaway("Can't test scan file temp %s for %s", tname, collname);
 	else {
@@ -950,7 +950,7 @@ makescanfile(char *scanfile)
 	if (scanfile == NULL)
 		scanfile = FILESCANDEF;
 	(void) sprintf(fname, FILESCAN, collname, scanfile);
-	(void) sprintf(tname, "%s.temp", fname);
+	(void) snprintf(tname, sizeof tname,  "%s.temp", fname);
 	scanF = fopen(tname, "w");
 	if (scanF == NULL)
 		goto out;
Index: usr.sbin/sup/source/supfilesrv.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/sup/source/supfilesrv.c,v
retrieving revision 1.52
diff -p -u -u -r1.52 supfilesrv.c
--- usr.sbin/sup/source/supfilesrv.c	3 Feb 2019 03:19:31 -0000	1.52
+++ usr.sbin/sup/source/supfilesrv.c	3 Oct 2019 07:21:41 -0000
@@ -889,7 +889,7 @@ srvsetup(void)
 
 		/* check crosspatch host access file */
 		cryptkey = NULL;
-		(void) sprintf(buf, FILEXPATCH, xuser);
+		snprintf(buf, sizeof buf, FILEXPATCH, xuser);
 
 		/* Turn off link following */
 		if (link_nofollow(1) != -1) {
@@ -1703,9 +1703,9 @@ changeuid(char *namep, char *passwordp, 
 	if (namep == NULL) {
 		pwd = getpwuid(fileuid);
 		if (pwd == NULL) {
-			(void) sprintf(errbuf, "Reason:  Unknown user id %d",
-			    fileuid);
-			return (errbuf);
+			snprintf(errbuf, sizeof errbuf,
+			    "Reason:  Unknown user id %d", fileuid);
+			return errbuf;
 		}
 		grp = getgrgid(filegid);
 		if (grp)
@@ -1730,9 +1730,9 @@ changeuid(char *namep, char *passwordp, 
 		}
 		pwd = getpwnam(nbuf);
 		if (pwd == NULL) {
-			(void) sprintf(errbuf, "Reason:  Unknown user %s",
-			    nbuf);
-			return (errbuf);
+			snprintf(errbuf, sizeof errbuf,
+			    "Reason:  Unknown user %s", nbuf);
+			return errbuf;
 		}
 		if (strcmp(nbuf, DEFUSER) == 0)
 			pswdp = NULL;
@@ -1744,11 +1744,11 @@ changeuid(char *namep, char *passwordp, 
 			setpag();	/* set a pag */
 			if (ka_UserAuthenticate(pwd->pw_name, "", 0,
 				pswdp, 1, &reason)) {
-				(void) sprintf(errbuf, "AFS authentication failed, %s",
-				    reason);
+				snprintf(errbuf, sizeof errbuf,
+				    "AFS authentication failed, %s", reason);
 				logerr("Attempt by %s; %s",
 				    nbuf, errbuf);
-				return (errbuf);
+				return errbuf;
 			}
 		}
 #endif
@@ -1789,7 +1789,7 @@ changeuid(char *namep, char *passwordp, 
 		break;
 #if	CMUCS
 	case ACCESS_CODE_INSECUREPWD:
-		(void) sprintf(errbuf, "Reason:  %s", p);
+		snprintf(errbuf, sizeof errbuf, "Reason:  %s", p);
 		p = errbuf;
 		break;
 	case ACCESS_CODE_DENIED:
@@ -1830,7 +1830,8 @@ changeuid(char *namep, char *passwordp, 
 		break;
 #endif				/* CMUCS */
 	default:
-		(void) sprintf(p = errbuf, "Reason:  Status %d", status);
+		snprintf(errbuf, sizeof errbuf, "Reason:  Status %d", status);
+		p = errbuf;
 		break;
 	}
 	if (status != ACCESS_CODE_OK) {
Index: usr.sbin/sysinst/util.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/sysinst/util.c,v
retrieving revision 1.32
diff -p -u -u -r1.32 util.c
--- usr.sbin/sysinst/util.c	27 Aug 2019 14:11:00 -0000	1.32
+++ usr.sbin/sysinst/util.c	3 Oct 2019 07:21:41 -0000
@@ -170,7 +170,8 @@ int have_raid, have_vnd, have_cgd, have_
  */
 
 static int check_for(unsigned int mode, const char *pathname);
-static int get_iso9660_volname(int dev, int sess, char *volname);
+static int get_iso9660_volname(int dev, int sess, char *volname,
+		size_t volnamelen);
 static int get_available_cds(void);
 static int binary_available(const char *prog);
 
@@ -376,7 +377,7 @@ get_via_floppy(void)
  * Get the volume name of a ISO9660 file system
  */
 static int
-get_iso9660_volname(int dev, int sess, char *volname)
+get_iso9660_volname(int dev, int sess, char *volname, size_t volnamelen)
 {
 	int blkno, error, last;
 	char buf[ISO_BLKSIZE];
@@ -393,8 +394,9 @@ get_iso9660_volname(int dev, int sess, c
 		if (isonum_711((const unsigned char *)&vd->type)
 		     == ISO_VD_PRIMARY) {
 			pd = (struct iso_primary_descriptor*)buf;
-			strncpy(volname, pd->volume_id, sizeof pd->volume_id);
-			last = sizeof pd->volume_id-1;
+			strncpy(volname, pd->volume_id, volnamelen - 1);
+			volname[volnamelen - 1] = '\0';
+			last = volnamelen - 1;
 			while (last >= 0
 			    && (volname[last] == ' ' || volname[last] == 0))
 				last--;
@@ -455,7 +457,8 @@ get_available_cds_helper(void *arg, cons
 			dev = open(dname, O_RDONLY, 0);
 			if (dev == -1)
 				continue;
-			error = get_iso9660_volname(dev, sess, volname);
+			error = get_iso9660_volname(dev, sess, volname,
+			    sizeof volname);
 			close(dev);
 			if (error)
 				continue;