diff --git a/crypto/kerberosIV/lib/krb/kdc_reply.c b/crypto/kerberosIV/lib/krb/kdc_reply.c
index 7a069e42efd..2c940eca0a2 100644
--- a/crypto/kerberosIV/lib/krb/kdc_reply.c
+++ b/crypto/kerberosIV/lib/krb/kdc_reply.c
@@ -121,6 +121,9 @@ kdc_reply_cipher(KTEXT reply, KTEXT cip)
     p += krb_get_int(p, &exp_date, 4, little_endian);
     p++; /* master key version number */
     p += krb_get_int(p, &clen, 2, little_endian);
+    if (reply->length - (p - reply->dat) < clen)
+	return INTK_PROT;
+
     cip->length = clen;
     memcpy(cip->dat, p, clen);
     p += clen;