its pretty simple, just look where i made the <--- arrow in my original post.
a patch would might look like this: static int fillinds(DS *ds, Dest *dp) { Conn *conn; if (dp->winner < 0) return -1; conn = &dp->conn[dp->winner]; if (dp->cfdp) *ds->cfdp = conn->cfd; if (ds->dir) { - strncpy(ds->dir, conn->dir, NETPATHLEN); - ds->dir[NETPATHLEN] = '\0'; + strncpy(ds->dir, conn->dir, NETPATHLEN-1); + ds->dir[NETPATHLEN-1] = '\0'; } return conn->dfd; } to be clear, everyone seems to get confused with conn->dir vs ds->dir. conn->dir has NETPATHLEN+1 capacity (why? makes no sense..). theres no overflow at conn->dir. but ds->dir is a pointer to the connection dir string passed by the caller of dial(). this buffer is just 40 (NETPATHLEN) bytes long (thats its required minimum size), so doing: ds->dir[NETPATHLEN] = '\0'; will write beyond it. theres no patch yet. geoff is notified of the issue. -- cinap