Taint: tweak internal documentation

2 files changed, 9 insertions, 4 deletions

diff --git a/src/src/local_scan.h b/src/src/local_scan.h
index da9a8911a..548f70dbd 100644
--- a/src/src/local_scan.h
+++ b/src/src/local_scan.h
@@ -9,7 +9,10 @@
 source for the local_scan.c() function. It contains definitions that are made
 available for use in that function, and which are documented.
 
-This API is also used for functions called by the ${dlfunc expansion item. */
+This API is also used for functions called by the ${dlfunc expansion item.
+Coders of dlfunc routines should read the notes on tainting at the start of
+store.c
+*/
 
 
 /* Some basic types that make some things easier, the Exim configuration
diff --git a/src/src/store.c b/src/src/store.c
index b65649f4a..61f9464af 100644
--- a/src/src/store.c
+++ b/src/src/store.c
@@ -62,9 +62,11 @@ The following different types of store are recognized:
   recopy a string being built into a tainted allocation if it meets a %s for a
   tainted argument.  Any intermediate-layer function that (can) return a new
   allocation should behave this way; returning a tainted result if any tainted
-  content is used.  Users of functions that modify existing allocations should
-  check if a tainted source and an untainted destination is used, and fail instead
-  (sprintf() being the classic case).
+  content is used.  Intermediate-layer functions (eg. Ustrncpy) that modify
+  existing allocations fail if tainted data is written into an untainted area.
+  Users of functions that modify existing allocations should check if a tainted
+  source and an untainted destination is used, and fail instead (sprintf() being
+  the classic case).
 */