SECURITY: length limits on many cmdline options

[exim.git] / src / src / transport.c

diff --git a/src/src/transport.c b/src/src/transport.c
index 609fd128c7dc09dc8942c5a416aaa7db1349dac7..8ee89ed2f78c42123d514ccf4f09704461be4964 100644 (file)
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -958,9 +958,10 @@ if (!(tctx->options & topt_no_headers))
 
   if (tctx->options & topt_add_return_path)
     {
-    uschar buffer[ADDRESS_MAXLENGTH + 20];
-    int n = sprintf(CS buffer, "Return-path: <%.*s>\n", ADDRESS_MAXLENGTH,
-      return_path);
+    uschar buffer[EXIM_EMAILADDR_MAX + 20];
+    int n = string_format(CS buffer, sizeof(buffer),
+                          "Return-path: <%.*s>\n",
+                          EXIM_EMAILADDR_MAX, return_path);
     if (!write_chunk(tctx, buffer, n)) goto bad;
     }
 
@@ -1730,7 +1731,7 @@ while (1)
     {
     msgq[i].bKeep = TRUE;
 
-    Ustrncpy_nt(msgq[i].message_id, host_record->text + (i * MESSAGE_ID_LENGTH), 
+    Ustrncpy_nt(msgq[i].message_id, host_record->text + (i * MESSAGE_ID_LENGTH),
       MESSAGE_ID_LENGTH);
     msgq[i].message_id[MESSAGE_ID_LENGTH] = 0;
     }