diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c
index a7fb0d74d..05614a3f0 100644
--- a/lib/gssapi/init_sec_context.c
+++ b/lib/gssapi/init_sec_context.c
@@ -677,16 +677,23 @@ spnego_reply
     ret = der_match_tag_and_length((const char *)indata.data,
 				   indata.length,
 				   ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
-    if (ret)
-	return ret;
+    if (ret) {
+	gssapi_krb5_set_status("Failed to decode NegToken choice");
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
 
-    if(len > indata.length - taglen)
-	return ASN1_OVERRUN;
+    if(len > indata.length - taglen) {
+	gssapi_krb5_set_status("Buffer overrun in NegToken choice");
+	*minor_status = ASN1_OVERRUN;
+	return GSS_S_FAILURE;
+    }
 
     ret = decode_NegTokenTarg((const char *)indata.data + taglen, 
 			      len, &targ, NULL);
     if (ret) {
-	*minor_status = ENOMEM;
+	gssapi_krb5_set_status("Failed to decode NegTokenTarg");
+	*minor_status = ret;
 	return GSS_S_FAILURE;
     }
 
diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index a7fb0d74d..05614a3f0 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -677,16 +677,23 @@ spnego_reply
     ret = der_match_tag_and_length((const char *)indata.data,
 				   indata.length,
 				   ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
-    if (ret)
-	return ret;
+    if (ret) {
+	gssapi_krb5_set_status("Failed to decode NegToken choice");
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
 
-    if(len > indata.length - taglen)
-	return ASN1_OVERRUN;
+    if(len > indata.length - taglen) {
+	gssapi_krb5_set_status("Buffer overrun in NegToken choice");
+	*minor_status = ASN1_OVERRUN;
+	return GSS_S_FAILURE;
+    }
 
     ret = decode_NegTokenTarg((const char *)indata.data + taglen, 
 			      len, &targ, NULL);
     if (ret) {
-	*minor_status = ENOMEM;
+	gssapi_krb5_set_status("Failed to decode NegTokenTarg");
+	*minor_status = ret;
 	return GSS_S_FAILURE;
     }