diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
index 4e3fcd659..031a621ea 100644
--- a/lib/gssapi/krb5/decapsulate.c
+++ b/lib/gssapi/krb5/decapsulate.c
@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
 
     if (mech_len != mech->length)
 	return GSS_S_BAD_MECH;
+    if (mech_len > total_len)
+	return GSS_S_BAD_MECH;
+    if (p - *str > total_len - mech_len)
+	return GSS_S_BAD_MECH;
     if (ct_memcmp(p,
 		  mech->elements,
 		  mech->length) != 0)