diff --git a/CHANGELOG b/CHANGELOG
index 780513d1f..62f8c6813 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o Fixed an issue in FTP bounce scan where a single null byte is written past
+  the end of the receive buffer. The issue is triggered by a malicious server
+  but does not cause a crash with default builds. [Tyler Zars]
+
 o [GH#3130] Fix a crash (stack overflow due to excessive recursion) in the
   parallel DNS resolver. Additionally, improved performance by processing
   responses that come after the request has timed out. [Daniel Miller]
diff --git a/nmap_ftp.cc b/nmap_ftp.cc
index 27a1565e4..c6b84e3b8 100644
--- a/nmap_ftp.cc
+++ b/nmap_ftp.cc
@@ -263,7 +263,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
         return;
       }
     } else { /* Our send is good */
-      res = recvtime(sd, recvbuf, 2048, 15, NULL);
+      res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 15, NULL);
       if (res <= 0) {
         perror("recv problem from FTP bounce server");
       } else { /* our recv is good */
@@ -286,7 +286,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
             privok = true;
           }
           if (send(sd, "LIST\r\n", 6, 0) > 0 ) {
-            res = recvtime(sd, recvbuf, 2048, 12, &timedout);
+            res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 12, &timedout);
             if (res < 0) {
               perror("recv problem from FTP bounce server");
             } else if (res == 0) {
@@ -302,10 +302,10 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
                 /* oh dear, we are not aligned properly */
                 if (o.verbose || o.debugging)
                   error("FTP command misalignment detected ... correcting.");
-                res = recvtime(sd, recvbuf, 2048, 10, NULL);
+                res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, NULL);
               }
               if (recvbuf[0] == '1') {
-                res = recvtime(sd, recvbuf, 2048, 10, &timedout);
+                res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, &timedout);
                 if (res < 0)
                   perror("recv problem from FTP bounce server");
                 else if (timedout || res == 0) {
@@ -314,7 +314,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
                     target->ports.setPortState(portarray[i], IPPROTO_TCP, PORT_FILTERED);
                   }
                   // Get response and discard
-                  res = recvtime(sd, recvbuf, 2048, 10, &timedout);
+                  res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, &timedout);
                   recvbuf[0] = '\0';
                   goto nextport;
                 }