diff -ruN telnet-bsd-1.1/telnet/telnet.c telnet-bsd-1.1.fixed/telnet/telnet.c
--- telnet-bsd-1.1/telnet/telnet.c	2004-02-14 05:11:27.000000000 -0800
+++ telnet-bsd-1.1.fixed/telnet/telnet.c	2005-02-23 07:21:09.898412008 -0800
@@ -1245,6 +1245,10 @@
 void
 slc_add_reply (unsigned char func, unsigned char flags, cc_t value)
 {
+  if (slc_replyp + 6 >= slc_reply + sizeof(slc_reply)) {
+     printf("slc_add_reply: not enough room\n");
+     return;
+  }
   if ((*slc_replyp++ = func) == IAC)
     *slc_replyp++ = IAC;
   if ((*slc_replyp++ = flags) == IAC)
@@ -1258,6 +1262,10 @@
 {
   int len;
 
+  if (slc_replyp + 2 >= slc_reply + sizeof(slc_reply)) {
+    printf("slc_end_reply: not enough room\n");
+    return;
+  }
   *slc_replyp++ = IAC;
   *slc_replyp++ = SE;
   len = slc_replyp - slc_reply;
@@ -1416,7 +1424,11 @@
     {
       int len;
       unsigned char *p;
+      /* Pointer wrap should be no issue here */
       opt_replyend += OPT_REPLY_SIZE;
+      opt_replyend += 2*strlen(ep);
+      if (vp)
+        opt_replyend += 2*strlen(vp);
       len = opt_replyend - opt_reply;
       p = (unsigned char *) realloc (opt_reply, len);
       if (p == NULL)