--- krb5-1.5.2/src/lib/rpc/svc_auth_gss.c.cve-2007-3999 2004-09-17 15:52:12.000000000 -0600 +++ krb5-1.5.2/src/lib/rpc/svc_auth_gss.c 2007-09-05 09:28:40.000000000 -0600 @@ -365,7 +365,7 @@ svcauth_gss_validate(struct svc_req *rqs oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); - if (oa->oa_length) { + if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } --- krb5-1.5.2/src/lib/kadm5/srv/svr_policy.c.cve-2007-3999 2007-09-05 09:31:24.000000000 -0600 +++ krb5-1.5.2/src/lib/kadm5/srv/svr_policy.c 2007-09-05 09:33:40.000000000 -0600 @@ -211,8 +211,9 @@ kadm5_modify_policy_internal(void *serve if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; - ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); - if( ret && (cnt==0) ) + if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) + return ret; + if (cnt != 1) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE))