diff -Naur netkit-telnet-0.17.orig/telnet/telnet.cc netkit-telnet-0.17/telnet/telnet.cc
--- netkit-telnet-0.17.orig/telnet/telnet.cc	2000-07-23 04:24:53.000000000 +0100
+++ netkit-telnet-0.17/telnet/telnet.cc	2005-10-11 11:58:02.000000000 +0100
@@ -1050,6 +1050,7 @@
 
 
 unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
 unsigned char *slc_replyp;
 
 void slc_start_reply(void) {
@@ -1061,6 +1062,18 @@
 }
 
 void slc_add_reply(int func, int flags, int value) {
+  /* Fix security vulnerability
+   * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
+   *
+   * A sequence of up to 6 bytes my be written for this member of the
+   * SLC suboption list by this function.  The end of negotiation
+   * command, which is written by slc_end_reply(), will require 2
+   * additional bytes.  Do not proceed unless there is sufficient
+   * space for these items.
+   */
+  if (&slc_replyp[6+2] > slc_reply_eom)
+    return;
+
   if ((*slc_replyp++ = func) == IAC)
     *slc_replyp++ = IAC;
   if ((*slc_replyp++ = flags) == IAC)