diff --git a/telnet/telnet.c b/telnet/telnet.c
index 3c0df082..42905195 100644
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@@ -861,7 +861,7 @@ suboption (void)
 	  len = strlen (name) + 4 + 2;
 	  if (len < NETROOM ())
 	    {
-	      sprintf ((char *) temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+	      snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
 		       TELQUAL_IS, name, IAC, SE);
 	      ring_supply_data (&netoring, temp, len);
 	      printsub ('>', &temp[2], len - 2);
@@ -885,7 +885,7 @@ suboption (void)
 
 	  TerminalSpeeds (&ispeed, &ospeed);
 
-	  sprintf ((char *) temp, "%c%c%c%c%d,%d%c%c", IAC, SB, TELOPT_TSPEED,
+	  snprintf((char *)temp, sizeof(temp), "%c%c%c%c%d,%d%c%c", IAC, SB, TELOPT_TSPEED,
 		   TELQUAL_IS, (int) ospeed, (int) ispeed, IAC, SE);
 	  len = strlen ((char *) temp + 4) + 4;	/* temp[3] is 0 ... */
 
diff --git a/telnet/utilities.c b/telnet/utilities.c
index c7e11999..fcf67b9d 100644
--- a/telnet/utilities.c
+++ b/telnet/utilities.c
@@ -732,7 +732,7 @@ printsub (char direction, unsigned char *pointer, int length)
 	      {
 		char tbuf[64];
 
-		sprintf (tbuf, "%s%s%s%s%s",
+		snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
 			 pointer[2] & MODE_EDIT ? "|EDIT" : "",
 			 pointer[2] & MODE_TRAPSIG ? "|TRAPSIG" : "",
 			 pointer[2] & MODE_SOFT_TAB ? "|SOFT_TAB" : "",