diff -ur krb5-1.3.6-orig/src/appl/telnet/telnet/telnet.c krb5-1.3.6/src/appl/telnet/telnet/telnet.c
--- krb5-1.3.6-orig/src/appl/telnet/telnet/telnet.c	2005-03-29 11:47:19.320798688 -0800
+++ krb5-1.3.6/src/appl/telnet/telnet/telnet.c	2005-03-29 11:54:57.479148032 -0800
@@ -1475,6 +1475,8 @@
 	unsigned char flags;
 	cc_t value;
 {
+	if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
+               return;
 	if ((*slc_replyp++ = func) == IAC)
 		*slc_replyp++ = IAC;
 	if ((*slc_replyp++ = flags) == IAC)
@@ -1488,11 +1490,14 @@
 {
     register int len;
 
-    *slc_replyp++ = IAC;
-    *slc_replyp++ = SE;
     len = slc_replyp - slc_reply;
-    if (len <= 6)
+    if (len <= 4 || (len + 2 > sizeof(slc_reply)))
 	return;
+
+    *slc_replyp++ = IAC;
+    *slc_replyp++ = SE;
+    len += 2;
+
     if (NETROOM() > len) {
 	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
 	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
@@ -1645,6 +1650,7 @@
 	register unsigned char *ep;
 {
 	register unsigned char *vp, c;
+	unsigned int len, olen, elen;
 
 	if (opt_reply == NULL)		/*XXX*/
 		return;			/*XXX*/
@@ -1662,19 +1668,19 @@
 		return;
 	}
 	vp = env_getvalue(ep);
-	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
-				strlen((char *)ep) + 6 > opt_replyend)
+	elen = 2 * (vp ? strlen((char *)vp) : 0) +
+		      2 * strlen((char *)ep) + 6;
+	if ((opt_replyend - opt_replyp) < elen)
 	{
-		register unsigned int len;
-		opt_replyend += OPT_REPLY_SIZE;
-		len = opt_replyend - opt_reply;
+		len = opt_replyend - opt_reply + elen;
+		olen = opt_replyp - opt_reply;
 		opt_reply = (unsigned char *)realloc(opt_reply, len);
 		if (opt_reply == NULL) {
 /*@*/			printf("env_opt_add: realloc() failed!!!\n");
 			opt_reply = opt_replyp = opt_replyend = NULL;
 			return;
 		}
-		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+		opt_replyp = opt_reply + olen;
 		opt_replyend = opt_reply + len;
 	}
 	if (opt_welldefined((char *) ep))