diff --git a/lib/gssapi/accept_sec_context.c b/lib/gssapi/accept_sec_context.c
index 396575387..49af9b070 100644
--- a/lib/gssapi/accept_sec_context.c
+++ b/lib/gssapi/accept_sec_context.c
@@ -773,6 +773,9 @@ spnego_accept_sec_context
     if (ret)
 	return ret;
 
+    if(len > data.length - taglen)
+	return ASN1_OVERRUN;
+
     ret = decode_NegTokenInit((const char *)data.data + taglen, len,
 			      &ni, &ni_len);
     if (ret)
diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
index 396575387..49af9b070 100644
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -773,6 +773,9 @@ spnego_accept_sec_context
     if (ret)
 	return ret;
 
+    if(len > data.length - taglen)
+	return ASN1_OVERRUN;
+
     ret = decode_NegTokenInit((const char *)data.data + taglen, len,
 			      &ni, &ni_len);
     if (ret)