diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c
index ae576eccf..c491561c6 100644
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -137,6 +137,10 @@ ARCFOUR_subencrypt(krb5_context context,
     unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
     krb5_error_code ret;
 
+    if (len < 16) {
+	    return KRB5KRB_AP_ERR_INAPP_CKSUM;
+    }
+
     t[0] = (usage >>  0) & 0xFF;
     t[1] = (usage >>  8) & 0xFF;
     t[2] = (usage >> 16) & 0xFF;
@@ -205,6 +209,10 @@ ARCFOUR_subdecrypt(krb5_context context,
     unsigned char cksum_data[16];
     krb5_error_code ret;
 
+    if (len < 16) {
+	    return KRB5KRB_AP_ERR_INAPP_CKSUM;
+    }
+
     t[0] = (usage >>  0) & 0xFF;
     t[1] = (usage >>  8) & 0xFF;
     t[2] = (usage >> 16) & 0xFF;