diff --git a/kadmin/ChangeLog b/kadmin/ChangeLog
index f51cfa074..6b0d02fde 100644
--- a/kadmin/ChangeLog
+++ b/kadmin/ChangeLog
@@ -1,3 +1,8 @@
+2002-09-09  Jacques Vidrine  <nectar@kth.se>
+
+	* server.c (kadmind_dispatch): while decoding arguments for
+	kadm_chpass_with_key, sanity check the number of keys given
+
 2002-09-04  Johan Danielsson  <joda@pdc.kth.se>
 
 	* load.c (parse_generation): return if there is no generation
diff --git a/kadmin/server.c b/kadmin/server.c
index 105c99352..28a934fcb 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -255,6 +255,13 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
 	}
+	/* n_key_data will be squeezed into an int16_t below. */
+	if (n_key_data < 0 || n_key_data >= 1 << 16 ||
+	    n_key_data > UINT_MAX/sizeof(*key_data)) {
+	    ret = ERANGE;
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
 
 	key_data = malloc (n_key_data * sizeof(*key_data));
 	if (key_data == NULL) {