diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 9a0905dac..c41afb0b4 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -3018,6 +3018,11 @@ decrypt_internal_derived(krb5_context context,
 	return EINVAL;		/* XXX - better error code? */
     }
 
+    if (((len - checksum_sz) % et->padsize) != 0) {
+	krb5_clear_error_string(context);
+	return KRB5_BAD_MSIZE;
+    }
+
     p = malloc(len);
     if(len != 0 && p == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
@@ -3027,10 +3032,6 @@ decrypt_internal_derived(krb5_context context,
 
     len -= checksum_sz;
 
-    if ((len % et->padsize) != 0) {
-	krb5_clear_error_string(context);
-	return KRB5_BAD_MSIZE;
-    }
     ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
     if(ret) {
 	free(p);