TomatoUSB

I'm a low karma user and thus can't paste a straight link

in bitbucket.org

pl_shibby/tomato-arm/src/d05c007143cb16385b91f2e5aa7c98ab10c149aa/release/src-rt-6.x.4708/router/rc/services.c?at=shibby-arm#cl-1483

The function allocates just 31 bytes for a list of NTP servers.
The builtin US default seems to take 54 characters

static char servers[32];
…
strcpy(servers, nvram_safe_get("ntp_server"));

Blind trust of an strcpy source is bad news to boot, but in this case the allocated string also happens to be absurdly small