I agree it's a good idea to increase safety by replacing calls to *printf with calls to *nprintf, BUT when we do so we should also add debugging assertions that the message fits into the buffer.
- sprintf(errmsg, format, errnum, detail); + snprintf(errmsg, fmtsize, IOE_FORMAT, errnum, detail); How about int needed = snprintf(...) assert(needed <= fmtsize);