diff --git a/ChangeLog b/ChangeLog
index 8613e6e816..43b287310e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Thu Mar 15 14:14:20 EST 2007 Daniel P Berrange <berrange@redhat.com>
+
+	* src/qemud_internal.c: Paranoia ensure the XML returned by
+	the getCapabilities call is NULL terminated before strduping
+	to protect from malicious / buggy server
+	* qemud/dispatch.c: Packet length for getCapabilities call
+	should be the size of the reply body, not the size of the
+	XML string.
+
 Thu Mar 15 14:14:20 EST 2007 Daniel P Berrange <berrange@redhat.com>
 
 	* src/xen_internal.c: Fix missing NULL initializer
diff --git a/qemud/dispatch.c b/qemud/dispatch.c
index 3c3b430255..bb6d51a425 100644
--- a/qemud/dispatch.c
+++ b/qemud/dispatch.c
@@ -269,7 +269,7 @@ qemudDispatchGetCapabilities (struct qemud_server *server,
         return 0;
     }
     out->header.type = QEMUD_PKT_GET_CAPABILITIES;
-    out->header.dataSize = len;
+    out->header.dataSize = sizeof(out->data.getCapabilitiesReply);
     strcpy (out->data.getCapabilitiesReply.xml, xml->content);
     bufferFree (xml);
     return 0;
diff --git a/src/qemu_internal.c b/src/qemu_internal.c
index 6a490441ab..112a78c9cb 100644
--- a/src/qemu_internal.c
+++ b/src/qemu_internal.c
@@ -468,6 +468,8 @@ qemuGetCapabilities (virConnectPtr conn)
         return NULL;
     }
 
+    reply.data.getCapabilitiesReply.xml[QEMUD_MAX_XML_LEN-1] = '\0';
+
     xml = strdup (reply.data.getCapabilitiesReply.xml);
     if (!xml) {
         qemuError (conn, NULL, VIR_ERR_NO_MEMORY, NULL);