diff -ru sbin/ipfw.orig/ipfw.c sbin/ipfw/ipfw.c
--- sbin/ipfw.orig/ipfw.c	2004-02-04 15:39:59.000000000 -0200
+++ sbin/ipfw/ipfw.c	2004-10-25 20:19:39.000000000 -0200
@@ -195,12 +195,13 @@
 		if (twidth == 0) {
 			time_t zerotime = 0;
 
-			strcpy(timestr, ctime(&zerotime));
+			strlcpy(timestr, ctime(&zerotime), sizeof(timestr));
 			*strchr(timestr, '\n') = '\0';
 			twidth = strlen(timestr);
 		}
 		if (chain->timestamp) {
-			strcpy(timestr, ctime((time_t *)&chain->timestamp));
+			strlcpy(timestr, ctime((time_t *)&chain->timestamp),
+				sizeof(timestr));
 			*strchr(timestr, '\n') = '\0';
 			printf("%s ", timestr);
 		} else {
@@ -617,17 +618,18 @@
 	l = fs->qsize;
 	if (fs->flags_fs & DN_QSIZE_IS_BYTES) {
 		if (l >= 8192)
-			sprintf(qs, "%d KB", l / 1024);
+			snprintf(qs, sizeof(qs), "%d KB", l / 1024);
 		else
-			sprintf(qs, "%d B", l);
+			snprintf(qs, sizeof(qs), "%d B", l);
 	} else
-		sprintf(qs, "%3d sl.", l);
+		snprintf(qs, sizeof(qs), "%3d sl.", l);
 	if (fs->plr)
-		sprintf(plr, "plr %f", 1.0 * fs->plr / (double)(0x7fffffff));
+		snprintf(plr, sizeof(qs), "plr %f",
+			 1.0 * fs->plr / (double)(0x7fffffff));
 	else
 		plr[0] = '\0';
 	if (fs->flags_fs & DN_IS_RED)	/* RED parameters */
-		sprintf(red,
+		snprintf(red, sizeof(red),
 		    "\n\t  %cRED w_q %f min_th %d max_th %d max_p %f",
 		    (fs->flags_fs & DN_IS_GENTLE_RED) ? 'G' : ' ',
 		    1.0 * fs->w_q / (double)(1 << SCALE_RED),
@@ -635,7 +637,7 @@
 		    SCALE_VAL(fs->max_th),
 		    1.0 * fs->max_p / (double)(1 << SCALE_RED));
 	else
-		sprintf(red, "droptail");
+		snprintf(red, sizeof(red), "droptail");
 
 	printf("%s %s%s %d queues (%d buckets) %s\n",
 	    prefix, qs, plr, fs->rq_elements, fs->rq_size, red);
@@ -723,17 +725,18 @@
 			if (rulenum != 0 && rulenum != p->pipe_nr)
 				continue;
 			if (p->if_name[0] != '\0')
-				sprintf(buf, "%s", p->if_name);
+				snprintf(buf, sizeof(buf), "%s", p->if_name);
 			else if (b == 0)
-				sprintf(buf, "unlimited");
+				snprintf(buf, sizeof(buf), "unlimited");
 			else if (b >= 1000000)
-				sprintf(buf, "%7.3f Mbit/s", b/1000000);
+				snprintf(buf, sizeof(buf), "%7.3f Mbit/s",
+					 b/1000000);
 			else if (b >= 1000)
-				sprintf(buf, "%7.3f Kbit/s", b/1000);
+				snprintf(buf, sizeof(buf), "%7.3f Kbit/s", b/1000);
 			else
-				sprintf(buf, "%7.3f bit/s ", b);
+				snprintf(buf, sizeof(buf), "%7.3f bit/s ", b);
 
-			sprintf(prefix, "%05d: %s %4d ms ",
+			snprintf(prefix, sizeof(buf), "%05d: %s %4d ms ",
 			    p->pipe_nr, buf, p->delay);
 			print_flowset_parms(&(p->fs), prefix);
 			if (verbose)
@@ -750,8 +753,9 @@
 			next = (void *)fs + l;
 			nbytes -= l;
 			q = (struct dn_flow_queue *)(fs+1);
-			sprintf(prefix, "q%05d: weight %d pipe %d ",
-			    fs->fs_nr, fs->weight, fs->parent_nr);
+			snprintf(prefix, sizeof(prefix),
+				 "q%05d: weight %d pipe %d ",
+				 fs->fs_nr, fs->weight, fs->parent_nr);
 			print_flowset_parms(fs, prefix);
 			list_queues(fs, q);
 		}
@@ -773,12 +777,12 @@
 			int width;
 
 			/* packet counter */
-			width = sprintf(temp, "%qu", r->fw_pcnt);
+			width = snprintf(temp, sizeof(temp), "%qu", r->fw_pcnt);
 			if (width > pcwidth)
 				pcwidth = width;
 
 			/* byte counter */
-			width = sprintf(temp, "%qu", r->fw_bcnt);
+			width = snprintf(temp, sizeof(temp), "%qu", r->fw_bcnt);
 			if (width > bcwidth)
 				bcwidth = width;
 		}
@@ -1534,9 +1538,9 @@
 				    || !strncmp(*av, "bandwidth", len)) {
 					if (av[1][0] >= 'a'
 					    && av[1][0] <= 'z') {
-						int l = sizeof(pipe.if_name)-1;
+						int l = sizeof(pipe.if_name);
 						/* interface name */
-						strncpy(pipe.if_name, av[1], l);
+						strlcpy(pipe.if_name, av[1], l);
 						pipe.if_name[l] = '\0';
 						pipe.bandwidth = 0;
 					} else {
@@ -2469,7 +2473,7 @@
 
 		while (fgets(buf, BUFSIZ, f)) {
 			lineno++;
-			sprintf(linename, "Line %d", lineno);
+			snprintf(linename, sizeof(linename), "Line %d", lineno);
 			args[0] = linename;
 
 			if (*buf == '#')
diff -ru sbin/ipfw.orig/ipfw2.c sbin/ipfw/ipfw2.c
--- sbin/ipfw.orig/ipfw2.c	2004-01-22 04:20:08.000000000 -0200
+++ sbin/ipfw/ipfw2.c	2004-10-25 20:32:22.000000000 -0200
@@ -830,7 +830,7 @@
 		char timestr[30];
 
 		if (twidth == 0) {
-			strcpy(timestr, ctime((time_t *)&twidth));
+			strlcpy(timestr, ctime((time_t *)&twidth), sizeof(timestr));
 			*strchr(timestr, '\n') = '\0';
 			twidth = strlen(timestr);
 		}
@@ -840,7 +840,7 @@
 #endif
 			time_t t = _long_to_time(rule->timestamp);
 
-			strcpy(timestr, ctime(&t));
+			strlcpy(timestr, ctime(&t), sizeof(timestr));
 			*strchr(timestr, '\n') = '\0';
 			printf("%s ", timestr);
 		} else {
@@ -1324,17 +1324,18 @@
 	l = fs->qsize;
 	if (fs->flags_fs & DN_QSIZE_IS_BYTES) {
 		if (l >= 8192)
-			sprintf(qs, "%d KB", l / 1024);
+			snprintf(qs, sizeof(qs), "%d KB", l / 1024);
 		else
-			sprintf(qs, "%d B", l);
+			snprintf(qs, sizeof(qs), "%d B", l);
 	} else
-		sprintf(qs, "%3d sl.", l);
+		snprintf(qs, sizeof(qs), "%3d sl.", l);
 	if (fs->plr)
-		sprintf(plr, "plr %f", 1.0 * fs->plr / (double)(0x7fffffff));
+		snprintf(plr, sizeof(plr),
+			 "plr %f", 1.0 * fs->plr / (double)(0x7fffffff));
 	else
 		plr[0] = '\0';
 	if (fs->flags_fs & DN_IS_RED)	/* RED parameters */
-		sprintf(red,
+		snprintf(red, sizeof(red),
 		    "\n\t  %cRED w_q %f min_th %d max_th %d max_p %f",
 		    (fs->flags_fs & DN_IS_GENTLE_RED) ? 'G' : ' ',
 		    1.0 * fs->w_q / (double)(1 << SCALE_RED),
@@ -1342,7 +1343,7 @@
 		    SCALE_VAL(fs->max_th),
 		    1.0 * fs->max_p / (double)(1 << SCALE_RED));
 	else
-		sprintf(red, "droptail");
+		snprintf(red, sizeof(red), "droptail");
 
 	printf("%s %s%s %d queues (%d buckets) %s\n",
 	    prefix, qs, plr, fs->rq_elements, fs->rq_size, red);
@@ -1384,17 +1385,17 @@
 		 * Print rate (or clocking interface)
 		 */
 		if (p->if_name[0] != '\0')
-			sprintf(buf, "%s", p->if_name);
+			snprintf(buf, sizeof(buf), "%s", p->if_name);
 		else if (b == 0)
-			sprintf(buf, "unlimited");
+			snprintf(buf, sizeof(buf), "unlimited");
 		else if (b >= 1000000)
-			sprintf(buf, "%7.3f Mbit/s", b/1000000);
+			snprintf(buf, sizeof(buf), "%7.3f Mbit/s", b/1000000);
 		else if (b >= 1000)
-			sprintf(buf, "%7.3f Kbit/s", b/1000);
+			snprintf(buf, sizeof(buf), "%7.3f Kbit/s", b/1000);
 		else
-			sprintf(buf, "%7.3f bit/s ", b);
+			snprintf(buf, sizeof(buf), "%7.3f bit/s ", b);
 
-		sprintf(prefix, "%05d: %s %4d ms ",
+		snprintf(prefix, sizeof(prefix), "%05d: %s %4d ms ",
 		    p->pipe_nr, buf, p->delay);
 		print_flowset_parms(&(p->fs), prefix);
 		if (verbose)
@@ -1412,7 +1413,7 @@
 		next = (void *)fs + l;
 		nbytes -= l;
 		q = (struct dn_flow_queue *)(fs+1);
-		sprintf(prefix, "q%05d: weight %d pipe %d ",
+		snprintf(prefix, sizeof(prefix), "q%05d: weight %d pipe %d ",
 		    fs->fs_nr, fs->weight, fs->parent_nr);
 		print_flowset_parms(fs, prefix);
 		list_queues(fs, q);
@@ -2217,9 +2218,9 @@
 			 * set clocking interface or bandwidth value
 			 */
 			if (av[0][0] >= 'a' && av[0][0] <= 'z') {
-			    int l = sizeof(pipe.if_name)-1;
+			    int l = sizeof(pipe.if_name);
 			    /* interface name */
-			    strncpy(pipe.if_name, av[0], l);
+			    strlcpy(pipe.if_name, av[0], l);
 			    pipe.if_name[l] = '\0';
 			    pipe.bandwidth = 0;
 			} else {
@@ -3596,7 +3597,7 @@
 
 	while (fgets(buf, BUFSIZ, f)) {
 		lineno++;
-		sprintf(linename, "Line %d", lineno);
+		snprintf(linename, sizeof(linename), "Line %d", lineno);
 		args[0] = linename;
 
 		if (*buf == '#')