Small yet significant tweaks/cleanups:

- getpwent:
  o adjunctbuf should be NUL terminated after copying
  o _pw_breakout_yp() needs to know the length of the buffer returned
    from YP so it can properly NUL terminate its local buffer.

- getgrent:
  o YP buffers should be YPMAXRECORD + 2 bytes long and NUL terminated.
    (Previously they were hardcoded to 1024 bytes.)

- getnetgrent:
  o YP data should be copied with snprintf(), not sprintf()

These are 2.2 candidates. I will wait a few days to make sure these don't
break anything and then, if there are no objections, move them to the 2.2
branch.

lib/libc/gen/getgrent.c

@@ -473,7 +473,7 @@ static int
 _getypgroup(struct group *gr, const char *name, char *map)
 {
 	char *result, *s;
-	static char resultbuf[1024];
+	static char resultbuf[YPMAXRECORD + 2];
 	int resultlen;
 
 	if(!_gr_yp_domain) {
@@ -490,6 +490,7 @@ _getypgroup(struct group *gr, const char *name, char *map)
 
 	if(resultlen >= sizeof resultbuf) return 0;
 	strncpy(resultbuf, result, resultlen);
+	resultbuf[resultlen] = '\0';
 	free(result);
 	return(_gr_breakout_yp(gr, resultbuf));
 
@@ -502,7 +503,7 @@ _nextypgroup(struct group *gr)
 	static char *key;
 	static int keylen;
 	char *lastkey, *result;
-	static char resultbuf[1024];
+	static char resultbuf[YPMAXRECORD + 2];
 	int resultlen;
 	int rv;
 
@@ -537,7 +538,8 @@ _nextypgroup(struct group *gr)
 			goto tryagain;
 		}
 
-		strcpy(resultbuf, result);
+		strncpy(resultbuf, result, resultlen);
+		resultbuf[resultlen] = '\0';
 		free(result);
 		if((result = strchr(resultbuf, '\n')) != NULL)
 			*result = '\0';

lib/libc/gen/getnetgrent.c

@@ -503,7 +503,7 @@ read_for_group(group)
 	register int len, olen;
 	int cont;
 	struct linelist *lp;
-	char line[LINSIZ + 1];
+	char line[LINSIZ + 2];
 #ifdef YP
 	char *result;
 	int resultlen;
@@ -523,7 +523,7 @@ read_for_group(group)
 					continue;
 				}
 			}
-			sprintf(line, "%s %s", group, result);
+			snprintf(line, LINSIZ, "%s %s", group, result);
 			free(result);
 		}
 #else

lib/libc/gen/getpwent.c

@@ -568,7 +568,8 @@ static char * _get_adjunct_pw(name)
 		    &result, &resultlen)))
 		return(NULL);
 
-	strncpy((char *)&adjunctbuf, result, YPMAXRECORD);
+	strncpy(adjunctbuf, result, resultlen);
+	adjunctbuf[resultlen] = '\0';
 	free(result);
 	result = (char *)&adjunctbuf;
 
@@ -582,7 +583,7 @@ static char * _get_adjunct_pw(name)
 }
 
 static int
-_pw_breakout_yp(struct passwd *pw, char *res, int master)
+_pw_breakout_yp(struct passwd *pw, char *res, int resultlen, int master)
 {
 	char *s, *result;
 	static char resbuf[YPMAXRECORD+2];
@@ -602,7 +603,8 @@ _pw_breakout_yp(struct passwd *pw, char *res, int master)
 	 * a static buffer here since the memory pointed to by
 	 * res will be free()ed when this function returns.
 	 */
-	strncpy((char *)&resbuf, res, YPMAXRECORD);
+	strncpy((char *)&resbuf, res, resultlen);
+	resbuf[resultlen] = '\0';
 	result = (char *)&resbuf;
 
 	/*
@@ -756,7 +758,7 @@ _getyppass(struct passwd *pw, const char *name, const char *map)
 		*s = ':'; /* Put back the colon we previously replaced with a NUL. */
 	}
 
-	rv = _pw_breakout_yp(pw, result, _gotmaster);
+	rv = _pw_breakout_yp(pw, result, resultlen, _gotmaster);
 	free(result);
 	return(rv);
 }
@@ -816,7 +818,7 @@ _nextyppass(struct passwd *pw)
 		}
 
 		*s = ':'; /* Put back the colon we previously replaced with a NUL. */
-		if (_pw_breakout_yp(pw, result, _gotmaster)) {
+		if (_pw_breakout_yp(pw, result, resultlen, _gotmaster)) {
 			free(result);
 			return(1);
 		} else {