Index: refclock_parse.c
===================================================================
RCS file: /cvsroot/src/external/bsd/ntp/dist/ntpd/refclock_parse.c,v
retrieving revision 1.5
diff -u -u -r1.5 refclock_parse.c
--- refclock_parse.c	1 Feb 2012 07:46:22 -0000	1.5
+++ refclock_parse.c	9 Aug 2012 12:53:49 -0000
@@ -4272,25 +4272,30 @@
 						{
 							if (status & s->flag)
 							{
-								if (p != b)
+								if (p != b
+								    && p < buffer[sizeof(buffer)] - 3)
 								{
 									*p++ = ',';
 									*p++ = ' ';
 								}
 								
-								strncat(p, (const char *)s->string, sizeof(buffer));
+								strncat(p, (const char *)s->string, BUFFER_SIZE(buffer, p));
 							}
 							s++;
 						}
-		
-						*p++ = '"';
-						*p   = '\0';
+						if (p < buffer[sizeof(buffer)] - 2])
+						{
+							*p++ = '"';
+							*p   = '\0';
+						}
+
 					}
 					else
 					{
 						strncat(buffer, "<OK>\"", sizeof(buffer));
 					}
 		
+					buffer[sizeof(buffer) - 1] = '\0';
 					set_var(&parse->kv, buffer, strlen(buffer)+1, RO|DEF);
 				}
 			break;
@@ -4385,6 +4390,7 @@
 					
 					strncat(p, "\"", BUFFER_SIZE(buffer, p));
 					
+					buffer[sizeof(buffer) - 1] = '\0';
 					set_var(&parse->kv, buffer, strlen(buffer)+1, RO|DEF);
 				}
 			break;
@@ -4408,6 +4414,7 @@
 						p += strlen(p);
 						mbg_tgps_str(&p, &cfgh.tot_51, BUFFER_SIZE(buffer, p));
 						strncpy(p, "\"", BUFFER_SIZE(buffer, p));
+						buffer[sizeof(buffer) - 1] = '\0';
 						set_var(&parse->kv, buffer, strlen(buffer)+1, RO);
 						
 						p = buffer;
@@ -4415,6 +4422,7 @@
 						p += strlen(p);
 						mbg_tgps_str(&p, &cfgh.tot_63, BUFFER_SIZE(buffer, p));
 						strncpy(p, "\"", BUFFER_SIZE(buffer, p));
+						buffer[sizeof(buffer) - 1] = '\0';
 						set_var(&parse->kv, buffer, strlen(buffer)+1, RO);
 						
 						p = buffer;
@@ -4422,6 +4430,7 @@
 						p += strlen(p);
 						mbg_tgps_str(&p, &cfgh.t0a, BUFFER_SIZE(buffer, p));
 						strncpy(p, "\"", BUFFER_SIZE(buffer, p));
+						buffer[sizeof(buffer) - 1] = '\0';
 						set_var(&parse->kv, buffer, strlen(buffer)+1, RO);
 						
 						for (i = MIN_SVNO; i < MAX_SVNO; i++)
@@ -4442,6 +4451,7 @@
 								break;
 							}
 							strncat(p, "\"", BUFFER_SIZE(buffer, p));
+							buffer[sizeof(buffer) - 1] = '\0';
 							set_var(&parse->kv, buffer, strlen(buffer)+1, RO);
 							
 							p = buffer;
@@ -4498,7 +4508,8 @@
 								break;
 							}
 							
-							strncat(p, "\"", sizeof(buffer));
+							strncat(p, "\"", BUFFER_SIZE(buffer, p));
+							buffer[sizeof(buffer) - 1] = '\0';
 							set_var(&parse->kv, buffer, strlen(buffer)+1, RO);
 						}
 					}
@@ -4532,6 +4543,7 @@
 					{
 						strncpy(p, "gps_utc_correction=\"<NO UTC DATA>\"", BUFFER_SIZE(buffer, p));
 					}
+					buffer[sizeof(buffer) - 1] = '\0';
 					set_var(&parse->kv, buffer, strlen(buffer)+1, RO|DEF);
 				}
 			break;
@@ -4556,6 +4568,7 @@
 					else
 						strncpy(buffer, "gps_message=<NONE>", sizeof(buffer));
 					
+					buffer[sizeof(buffer) - 1] = '\0';
 					set_var(&parse->kv, buffer, strlen(buffer)+1, RO|DEF);
 				}
 			
@@ -5755,6 +5768,7 @@
 		t += strlen(t);
 
 		strncpy(t,"\"", BUFFER_SIZE(pbuffer, t));
+		buffer[sizeof(buffer) - 1] = '\0';
 		set_var(&parse->kv, pbuffer, sizeof(pbuffer), var_flag);
 	}
 }