diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
index 640c064d0..86085f569 100644
--- a/lib/gssapi/krb5/decapsulate.c
+++ b/lib/gssapi/krb5/decapsulate.c
@@ -190,6 +190,9 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
     size_t padlength;
     int i;
 
+    if (wrapped_token->length < 1)
+	return GSS_S_BAD_MECH;
+
     pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
     padlength = *pad;