I think I stumbled upon a bug in the i_snprintf() function. In the case of vnsprintf() being available, it depends on vnsprintf() returning -1 when the string was longer than the passed-in limit (or it won't terminate the string.). But this isn't the C99-standardized behaviour, and newer glibc's don't do that anymore either, so you can end up with a non-terminated string. This patch should fix it, I think. Index: strfuncs.c =================================================================== RCS file: /home/cvs/dovecot/src/lib/strfuncs.c,v retrieving revision 1.14 diff -c -u -r1.14 strfuncs.c --- strfuncs.c 20 Oct 2002 03:19:10 -0000 1.14 +++ strfuncs.c 23 Oct 2002 11:19:39 -0000 @@ -401,7 +401,7 @@ va_end(args); t_pop(); - if (ret < 0) { + if (ret < 0 || ret >= max_chars) { str[max_chars-1] = '\0'; ret = strlen(str); } -- Thomas Wouters <thomas@xs4all.net> Hi! I'm a .signature virus! copy me into your .signature file to help me spread!