Puzzle of the Day

A network filter monitors connections and sends mail to the system administrators whenever a new connection is 
opened. The filter determines the IP address of the remote host from the initial packet exchange that sets up the con-
nection, and maps that to a name. The variable ipaddr contains the IP address of the remote host:

if ((hp = gethostbyaddr((char *) &ipaddr, sizeof(ipaddr), AF_INET)) == NULL){

	neterror("gethostbyaddr", h_errno);

	hname = "unknown";

}

else

	hname = hp->h_name;

The filter uses the host name in the routine mpopen, which provides a safe environment for spawning subprocesses (it 
resets the PATH and IFS shell variables to known safe values, among other things) but otherwise acts like popen(3):

len = strlen(hname) + strlen("mail -s %s root") + 1;

if ((p = malloc(len * sizeof(char))) == NULL){

	syserror("malloc", errno);

	goto ohdarn;

}

(void) sprintf(p, "mail -s %s root", hname);

if ((pp = mpopen(p, "w")) == NULL){

	syserror("mpopen", errno);

	goto ohdarn;

}

tick = time(NULL);

fprintf(pp, "Connection from this host made at %s", ctime(&tick));

fclose(pp);

1.	Under what conditions is this safe, in the sense that an attacker cannot do anything to damage the system as a 
result of the filter's actions?

2.	For those conditions in which it is not safe, how would you make it safe?