diff --git a/sonoff/_changelog.ino b/sonoff/_changelog.ino
index 2983ee9de..2f2a7b1c2 100644
--- a/sonoff/_changelog.ino
+++ b/sonoff/_changelog.ino
@@ -1,4 +1,5 @@
 /* 6.1.1b
+ * Fix command Scale buffer overflow (#3236)
  * Fix rules once regression from v6.1.0 (#3198, #3226)
  * Add default Wifi Configuration tool as define WIFI_CONFIG_NO_SSID in user_config.h if no SSID is configured (#3224)
  * Add user selection of Wifi Smartconfig as define USE_SMARTCONFIG in user_config.h
diff --git a/sonoff/xdrv_10_rules.ino b/sonoff/xdrv_10_rules.ino
index 54a04fbc6..2129fdbbe 100644
--- a/sonoff/xdrv_10_rules.ino
+++ b/sonoff/xdrv_10_rules.ino
@@ -557,44 +557,38 @@ boolean RulesCommand()
     snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, Settings.mems[index -1]);
   }
   else if ((CMND_ADD == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ) {
+    if (XdrvMailbox.data_len > 0) {
       double tempvar = CharToDouble(vars[index -1]) + CharToDouble(XdrvMailbox.data);
-      dtostrfd(tempvar,2,vars[index -1]);
+      dtostrfd(tempvar, 2, vars[index -1]);
     }
     snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
   }
   else if ((CMND_SUB == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ){
+    if (XdrvMailbox.data_len > 0) {
       double tempvar = CharToDouble(vars[index -1]) - CharToDouble(XdrvMailbox.data);
-      dtostrfd(tempvar,2,vars[index -1]);
+      dtostrfd(tempvar, 2, vars[index -1]);
     }
     snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
   }
   else if ((CMND_MULT == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ){
+    if (XdrvMailbox.data_len > 0) {
       double tempvar = CharToDouble(vars[index -1]) * CharToDouble(XdrvMailbox.data);
-      dtostrfd(tempvar,2,vars[index -1]);
+      dtostrfd(tempvar, 2, vars[index -1]);
     }
     snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
   }
   else if ((CMND_SCALE == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ) {
+    if (XdrvMailbox.data_len > 0) {
       if (strstr(XdrvMailbox.data, ",")) {     // Process parameter entry
-        double value = 0;
-        double valueIN = 0;
-        double fromLow = 0;
-        double fromHigh = 0;
-        double toLow = 0;
-        double toHigh = 0;
+        char sub_string[XdrvMailbox.data_len +1];
 
-        valueIN = CharToDouble(subStr(XdrvMailbox.data, ",", 1));
-        fromLow = CharToDouble(subStr(XdrvMailbox.data, ",", 2));
-        fromHigh = CharToDouble(subStr(XdrvMailbox.data, ",", 3));
-        toLow = CharToDouble(subStr(XdrvMailbox.data, ",", 4));
-        toHigh = CharToDouble(subStr(XdrvMailbox.data, ",", 5));
-
-        value = map_double(valueIN, fromLow, fromHigh, toLow, toHigh);
-        dtostrfd(value,2,vars[index -1]);
+        double valueIN = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 1));
+        double fromLow = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 2));
+        double fromHigh = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 3));
+        double toLow = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 4));
+        double toHigh = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 5));
+        double value = map_double(valueIN, fromLow, fromHigh, toLow, toHigh);
+        dtostrfd(value, 2, vars[index -1]);
       }
     }
     snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
@@ -610,17 +604,16 @@ double map_double(double x, double in_min, double in_max, double out_min, double
 }
 
 // Function to return a substring defined by a delimiter at an index
-char* subStr (char* str, const char *delim, int index)
+char* subStr(char* dest, char* str, const char *delim, int index)
 {
   char *act;
   char *sub;
   char *ptr;
-  static char copy[10];
   int i;
 
   // Since strtok consumes the first arg, make a copy
-  strcpy(copy, str);
-  for (i = 1, act = copy; i <= index; i++, act = NULL) {
+  strncpy(dest, str, strlen(str));
+  for (i = 1, act = dest; i <= index; i++, act = NULL) {
     sub = strtok_r(act, delim, &ptr);
     if (sub == NULL) break;
   }
@@ -628,7 +621,6 @@ char* subStr (char* str, const char *delim, int index)
   return sub;
 }
 
-
 /*********************************************************************************************\
  * Interface
 \*********************************************************************************************/