diff -u -p -Nr --exclude CVS krb4-1.1.orig/appl/telnet/telnet/telnet.c krb4-1.1/appl/telnet/telnet/telnet.c
--- krb4-1.1.orig/appl/telnet/telnet/telnet.c	2001-09-17 04:05:12.000000000 +0200
+++ krb4-1.1/appl/telnet/telnet/telnet.c	2005-05-26 16:23:57.000000000 +0200
@@ -1306,6 +1306,8 @@ slc_start_reply()
 void
 slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
 {
+	if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
+		return;
 	if ((*slc_replyp++ = func) == IAC)
 		*slc_replyp++ = IAC;
 	if ((*slc_replyp++ = flags) == IAC)
@@ -1319,11 +1321,12 @@ slc_end_reply()
 {
     int len;
 
-    *slc_replyp++ = IAC;
-    *slc_replyp++ = SE;
     len = slc_replyp - slc_reply;
-    if (len <= 6)
+    if (len <= 4 || (len + 2 > sizeof(slc_reply)))
 	return;
+    *slc_replyp++ = IAC;
+    *slc_replyp++ = SE;
+    len += 2;
     if (NETROOM() > len) {
 	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
 	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
@@ -1455,6 +1458,7 @@ void
 env_opt_add(unsigned char *ep)
 {
 	unsigned char *vp, c;
+	unsigned int len, olen, elen;
 
 	if (opt_reply == NULL)		/*XXX*/
 		return;			/*XXX*/
@@ -1471,14 +1475,13 @@ env_opt_add(unsigned char *ep)
 			env_opt_add(ep);
 		return;
 	}
-	vp = env_getvalue(ep);
-	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
-				strlen((char *)ep) + 6 > opt_replyend)
+	elen = 2 * (vp ? strlen((char *)vp) : 0) +
+		2 * strlen((char *)ep) + 6;
+	if ((opt_replyend - opt_replyp) < elen)
 	{
-		int len;
 		void *tmp;
-		opt_replyend += OPT_REPLY_SIZE;
-		len = opt_replyend - opt_reply;
+		len = opt_replyend - opt_reply + elen;
+		olen = opt_replyp - opt_reply;
 		tmp = realloc(opt_reply, len);
 		if (tmp == NULL) {
 /*@*/			printf("env_opt_add: realloc() failed!!!\n");
@@ -1486,7 +1489,7 @@ env_opt_add(unsigned char *ep)
 			return;
 		}
 		opt_reply = tmp;
-		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+		opt_replyp = opt_reply + olen;
 		opt_replyend = opt_reply + len;
 	}
 	if (opt_welldefined((char *)ep)) {
