diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c
index abcef83c1..bbf029596 100644
--- a/lib/gssapi/init_sec_context.c
+++ b/lib/gssapi/init_sec_context.c
@@ -669,11 +669,14 @@ spnego_reply
 	return GSS_S_BAD_MECH;
 
     ret = der_match_tag_and_length((const char *)indata.data,
-				   indata.length - taglen,
+				   indata.length,
 				   CONTEXT, CONS, 1, &len, &taglen);
     if (ret)
 	return ret;
 
+    if(len > indata.length - taglen)
+	return ASN1_OVERRUN;
+
     ret = decode_NegTokenTarg((const char *)indata.data + taglen, 
 			      len, &targ, NULL);
     if (ret) {
diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index abcef83c1..bbf029596 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -669,11 +669,14 @@ spnego_reply
 	return GSS_S_BAD_MECH;
 
     ret = der_match_tag_and_length((const char *)indata.data,
-				   indata.length - taglen,
+				   indata.length,
 				   CONTEXT, CONS, 1, &len, &taglen);
     if (ret)
 	return ret;
 
+    if(len > indata.length - taglen)
+	return ASN1_OVERRUN;
+
     ret = decode_NegTokenTarg((const char *)indata.data + taglen, 
 			      len, &targ, NULL);
     if (ret) {