diff --git a/src/vlserver/vlprocs.c b/src/vlserver/vlprocs.c
index 6a72c94fa7..7eb99fe528 100644
--- a/src/vlserver/vlprocs.c
+++ b/src/vlserver/vlprocs.c
@@ -1660,7 +1660,8 @@ ListAttributesN2(struct rx_call *rxcall,
     int pollcount = 0;
     int namematchRWBK, namematchRO, thismatch;
     int matchtype = 0;
-    char volumename[VL_MAXNAMELEN+2]; /* regex anchors */
+    int size;
+    char volumename[VL_MAXNAMELEN+3]; /* regex anchors */
     char rxstr[AFS_RXINFO_LEN];
 #ifdef HAVE_POSIX_REGEX
     regex_t re;
@@ -1733,7 +1734,11 @@ ListAttributesN2(struct rx_call *rxcall,
 		code = VL_PERM;
 		goto done;
 	    }
-	    sprintf(volumename, "^%s$", name);
+	    size = snprintf(volumename, sizeof(volumename), "^%s$", name);
+	    if (size < 0 || size >= sizeof(volumename)) {
+		code = VL_BADNAME;
+		goto done;
+	    }
 #ifdef HAVE_POSIX_REGEX
 	    if (regcomp(&re, volumename, REG_NOSUB) != 0) {
 		code = VL_BADNAME;
@@ -1778,7 +1783,12 @@ ListAttributesN2(struct rx_call *rxcall,
 		    /* Does the name match the RW name */
 		    if (tentry.flags & VLF_RWEXISTS) {
 			if (findname) {
-			    sprintf(volumename, "%s", tentry.name);
+			    size = snprintf(volumename, sizeof(volumename),
+					    "%s", tentry.name);
+			    if (size < 0 || size >= sizeof(volumename)) {
+				code = VL_BADNAME;
+				goto done;
+			    }
 #ifdef HAVE_POSIX_REGEX
 			    if (regexec(&re, volumename, 0, NULL, 0) == 0) {
 				thismatch = VLSF_RWVOL;
@@ -1796,7 +1806,13 @@ ListAttributesN2(struct rx_call *rxcall,
 		    /* Does the name match the BK name */
 		    if (!thismatch && (tentry.flags & VLF_BACKEXISTS)) {
 			if (findname) {
-			    sprintf(volumename, "%s.backup", tentry.name);
+			    /* If this fails, the tentry.name is invalid */
+			    size = snprintf(volumename, sizeof(volumename),
+					    "%s.backup", tentry.name);
+			    if (size < 0 || size >= sizeof(volumename)) {
+				code = VL_BADNAME;
+				goto done;
+			    }
 #ifdef HAVE_POSIX_REGEX
 			    if (regexec(&re, volumename, 0, NULL, 0) == 0) {
 				thismatch = VLSF_BACKVOL;
@@ -1825,8 +1841,13 @@ ListAttributesN2(struct rx_call *rxcall,
 				thismatch =
 				    ((namematchRO == 1) ? VLSF_ROVOL : 0);
 			    } else {
-				sprintf(volumename, "%s.readonly",
-					tentry.name);
+				/* If this fails, the tentry.name is invalid */
+				size = snprintf(volumename, sizeof(volumename),
+						"%s.readonly", tentry.name);
+				if (size < 0 || size >= sizeof(volumename)) {
+				    code = VL_BADNAME;
+				    goto done;
+				}
 #ifdef HAVE_POSIX_REGEX
 			    if (regexec(&re, volumename, 0, NULL, 0) == 0) {
 				thismatch = VLSF_ROVOL;