From 02ba03938f9f91e1b96b8a9223aa5bc183550f8a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 13 Jan 2025 12:16:19 +0100
Subject: [PATCH] telnet: handle single-byte input option

Coverity CID 1638753 correctly identies this code misbehaved if the
passed in suboption is exactly one byte long by substracting two from
the unsigned size_t variable.

Closes #15987
---
 lib/telnet.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/telnet.c b/lib/telnet.c
index 64d552d159..4a7f6d060d 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -695,7 +695,10 @@ static void printsub(struct Curl_easy *data,
           infof(data, ", not IAC SE) ");
         }
       }
-      length -= 2;
+      if(length >= 2)
+        length -= 2;
+      else /* bad input */
+        return;
     }
     if(length < 1) {
       infof(data, "(Empty suboption?)");
-- 
2.47.3