The routines in the err(3) family can take format strings.  A number of 
programs have had security problems because of assorted format-related 
vulnerabilities, including buffer overflows.  The latter is what 
concerns me here -- is the code safe, or should I limit string lengths?
From a quick glance at the source, I *think* they're safe, because 
err.c ultimately calls verr, which uses vfprintf.  But there are enough 
twisty little macro calls that I want to be sure on this point.  (A 
related issue is how safe implementations of this routine are on other 
platforms, especially Linux.)

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com