Index: crypto/heimdal/kadmin/version4.c
diff -c crypto/heimdal/kadmin/version4.c:1.1.1.1.2.3 crypto/heimdal/kadmin/version4.c:1.1.1.1.2.4
*** crypto/heimdal/kadmin/version4.c:1.1.1.1.2.3	Fri Sep 20 05:50:21 2002
--- crypto/heimdal/kadmin/version4.c	Mon Oct 21 22:51:10 2002
***************
*** 822,827 ****
--- 822,834 ----
      off += _krb5_get_int(msg + off, &rlen, 4);
      memset(&authent, 0, sizeof(authent));
      authent.length = message.length - rlen - KADM_VERSIZE - 4;
+ 
+     if(authent.length >= MAX_KTXT_LEN) {
+ 	krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen);
+ 	make_you_loose_packet (KADM_LENGTH_ERROR, reply);
+ 	return;
+     }
+ 
      memcpy(authent.dat, (char*)msg + off, authent.length);
      off += authent.length;
      
Index: crypto/kerberosIV/kadmin/kadm_ser_wrap.c
diff -c crypto/kerberosIV/kadmin/kadm_ser_wrap.c:1.1.1.3 crypto/kerberosIV/kadmin/kadm_ser_wrap.c:1.1.1.3.12.1
*** crypto/kerberosIV/kadmin/kadm_ser_wrap.c:1.1.1.3	Sun Jan  9 02:27:52 2000
--- crypto/kerberosIV/kadmin/kadm_ser_wrap.c	Wed Oct 23 08:21:32 2002
***************
*** 117,132 ****
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
!     if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
  	errpkt(errdat, dat, dat_len, KADM_BAD_VER);
  	return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
!     if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
  	return KADM_LENGTH_ERROR;
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t);
      memcpy(authent.dat, (char *)(*dat) + in_len, authent.length);
      authent.mbz = 0;
      /* service key should be set before here */
--- 117,141 ----
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
!     if (*dat_len < (KADM_VERSIZE + sizeof(u_int32_t))
! 	|| strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE) != 0) {
  	errpkt(errdat, dat, dat_len, KADM_BAD_VER);
  	return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
!     if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0 ||
! 	(r_len > *dat_len - KADM_VERSIZE - sizeof(u_int32_t))) {
! 	errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR);
  	return KADM_LENGTH_ERROR;
+     }
+     
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t);
+     if (authent.length > MAX_KTXT_LEN) {
+ 	errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR);
+ 	return KADM_LENGTH_ERROR;
+     }
      memcpy(authent.dat, (char *)(*dat) + in_len, authent.length);
      authent.mbz = 0;
      /* service key should be set before here */