diff --git a/NEWS b/NEWS
index d00f45f7..bda571b3 100644
--- a/NEWS
+++ b/NEWS
@@ -58,6 +58,7 @@ NEWS
   * [stat] mimetype.xattr-name global config option (fixes #2631)
   * [mod_webdav] allow Depth: Infinity lock on file (fixes #2296)
   * [mod_status] use snprintf() instead of sprintf()
+  * pass buf size to li_tohex()
 
 - 1.4.39 - 2016-01-02
   * [core] fix memset_s call (fixes #2698)
diff --git a/src/buffer.c b/src/buffer.c
index 7afbedc2..12123d2d 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -487,8 +487,10 @@ int buffer_is_equal_right_len(const buffer *b1, const buffer *b2, size_t len) {
 	return 0 == memcmp(b1->ptr + b1->used - 1 - len, b2->ptr + b2->used - 1 - len, len);
 }
 
-void li_tohex(char *buf, const char *s, size_t s_len) {
+void li_tohex(char *buf, size_t buf_len, const char *s, size_t s_len) {
 	size_t i;
+	force_assert(2 * s_len > s_len);
+	force_assert(2 * s_len < buf_len);
 
 	for (i = 0; i < s_len; i++) {
 		buf[2*i] = hex_chars[(s[i] >> 4) & 0x0F];
@@ -502,7 +504,7 @@ void buffer_copy_string_hex(buffer *b, const char *in, size_t in_len) {
 	force_assert(in_len * 2 > in_len);
 
 	buffer_string_set_length(b, 2 * in_len);
-	li_tohex(b->ptr, in, in_len);
+	li_tohex(b->ptr, buffer_string_space(b)+1, in, in_len);
 }
 
 /* everything except: ! ( ) * - . 0-9 A-Z _ a-z ~ */
diff --git a/src/buffer.h b/src/buffer.h
index ebdbf2f7..c2863318 100644
--- a/src/buffer.h
+++ b/src/buffer.h
@@ -101,7 +101,7 @@ void li_utostrn(char *buf, size_t buf_len, uintmax_t val);
 void li_utostr(char *buf, uintmax_t val); /* buf must have at least LI_ITOSTRING_LENGTH bytes */
 
 /* buf must be (at least) 2*s_len + 1 big. uses lower-case hex letters. */
-void li_tohex(char *buf, const char *s, size_t s_len);
+void li_tohex(char *buf, size_t buf_len, const char *s, size_t s_len);
 
 char * buffer_search_string_len(buffer *b, const char *needle, size_t len);
 
diff --git a/src/http_auth.c b/src/http_auth.c
index dc18b29a..00a2e2b8 100644
--- a/src/http_auth.c
+++ b/src/http_auth.c
@@ -44,10 +44,11 @@
 typedef unsigned char HASH[HASHLEN];
 typedef char HASHHEX[HASHHEXLEN+1];
 
-static void CvtHex(const HASH Bin, char Hex[33]) {
-	li_tohex(Hex, (const char*) Bin, 16);
+static void CvtHex(const HASH Bin, char (*Hex)[33]) {
+	li_tohex(*Hex, sizeof(*Hex), (const char*) Bin, 16);
 }
 
+
 /**
  * the $apr1$ handling is taken from apache 1.3.x
  */
@@ -541,7 +542,7 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p
 
 		li_MD5_CTX Md5Ctx;
 		HASH HA1;
-		char a1[256];
+		char a1[33];
 
 		li_MD5_Init(&Md5Ctx);
 		li_MD5_Update(&Md5Ctx, CONST_BUF_LEN(username));
@@ -551,7 +552,7 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p
 		li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
 		li_MD5_Final(HA1, &Md5Ctx);
 
-		CvtHex(HA1, a1);
+		CvtHex(HA1, &a1);
 
 		if (0 == strcmp(password->ptr, a1)) {
 			return 0;
@@ -819,8 +820,8 @@ typedef struct {
 
 /* return values: -1: error/bad request, 0: failed, 1: success */
 int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, const char *realm_str) {
-	char a1[256];
-	char a2[256];
+	char a1[33];
+	char a2[33];
 
 	char *username = NULL;
 	char *realm = NULL;
@@ -1008,8 +1009,8 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 	    strcasecmp(algorithm, "md5-sess") == 0) {
 		li_MD5_Init(&Md5Ctx);
 		/* Errata ID 1649: http://www.rfc-editor.org/errata_search.php?rfc=2617 */
-		CvtHex(HA1, a1);
-		li_MD5_Update(&Md5Ctx, (unsigned char *)a1, 32);
+		CvtHex(HA1, &a1);
+		li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
 		li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
 		li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
 		li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
@@ -1017,7 +1018,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 		li_MD5_Final(HA1, &Md5Ctx);
 	}
 
-	CvtHex(HA1, a1);
+	CvtHex(HA1, &a1);
 
 	/* calculate H(A2) */
 	li_MD5_Init(&Md5Ctx);
@@ -1032,7 +1033,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 	}
 */
 	li_MD5_Final(HA2, &Md5Ctx);
-	CvtHex(HA2, HA2Hex);
+	CvtHex(HA2, &HA2Hex);
 
 	/* calculate response */
 	li_MD5_Init(&Md5Ctx);
@@ -1050,7 +1051,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 	};
 	li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
 	li_MD5_Final(RespHash, &Md5Ctx);
-	CvtHex(RespHash, a2);
+	CvtHex(RespHash, &a2);
 
 	if (0 != strcmp(a2, respons)) {
 		/* digest not ok */
@@ -1090,7 +1091,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 }
 
 
-int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) {
+int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char (*out)[33]) {
 	HASH h;
 	li_MD5_CTX Md5Ctx;
 	char hh[LI_ITOSTRING_LENGTH];
diff --git a/src/http_auth.h b/src/http_auth.h
index eb8d8f14..65348d6e 100644
--- a/src/http_auth.h
+++ b/src/http_auth.h
@@ -69,7 +69,7 @@ typedef struct {
 
 int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, const char *realm_str);
 int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, const char *realm_str);
-int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char hh[33]);
+int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char (*hh)[33]);
 int http_auth_match_rules(server *srv, array *req, const char *username, const char *group, const char *host);
 
 #endif
diff --git a/src/mod_auth.c b/src/mod_auth.c
index 5c6dae38..e79f13b1 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -303,7 +303,7 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 			response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(p->tmp_buf));
 		} else if (0 == strcmp(method->value->ptr, "digest")) {
 			char hh[33];
-			http_auth_digest_generate_nonce(srv, p, srv->tmp_buf, hh);
+			http_auth_digest_generate_nonce(srv, p, srv->tmp_buf, &hh);
 
 			buffer_copy_string_len(p->tmp_buf, CONST_STR_LEN("Digest realm=\""));
 			buffer_append_string_buffer(p->tmp_buf, realm->value);
diff --git a/src/mod_cml_funcs.c b/src/mod_cml_funcs.c
index 5625be76..8e809817 100644
--- a/src/mod_cml_funcs.c
+++ b/src/mod_cml_funcs.c
@@ -60,7 +60,7 @@ int f_crypto_md5(lua_State *L) {
 	li_MD5_Update(&Md5Ctx, (unsigned char *) s, (unsigned int) s_len);
 	li_MD5_Final(HA1, &Md5Ctx);
 
-	li_tohex(hex, (const char*) HA1, 16);
+	li_tohex(hex, sizeof(hex), (const char*) HA1, 16);
 
 	lua_pushstring(L, hex);
 
diff --git a/src/mod_secdownload.c b/src/mod_secdownload.c
index 540020e2..86ce5b01 100644
--- a/src/mod_secdownload.c
+++ b/src/mod_secdownload.c
@@ -175,7 +175,7 @@ static int secdl_verify_mac(server *srv, plugin_config *config, const char* prot
 			li_MD5_Update(&Md5Ctx, ts_str, 8);
 			li_MD5_Final(HA1, &Md5Ctx);
 
-			li_tohex(hexmd5, (const char *)HA1, 16);
+			li_tohex(hexmd5, sizeof(hexmd5), (const char *)HA1, 16);
 
 			return (32 == maclen) && const_time_memeq(mac, hexmd5, 32);
 		}