--- src/lib/kadm5/srv/svr_policy.c
+++ src/lib/kadm5/srv/svr_policy.c	2007/08/24 14:32:34
@@ -211,8 +211,9 @@
     if((mask & KADM5_POLICY))
 	return KADM5_BAD_MASK;
 		
-    ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
-    if( ret && (cnt==0) )
+    if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
+ 	return ret;
+    if (cnt != 1)
 	return KADM5_UNK_POLICY;
 
     if ((mask & KADM5_PW_MAX_LIFE))

--- src/lib/rpc/svc_auth_gss.c
+++ src/lib/rpc/svc_auth_gss.c	2007/09/06 08:32:37
@@ -355,6 +355,15 @@
 	memset(rpchdr, 0, sizeof(rpchdr));
 
 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+	oa = &msg->rm_call.cb_cred;
+	if (oa->oa_length > MAX_AUTH_BYTES)
+	     return (FALSE);
+
+	/* 8 XDR units from the IXDR macro calls. */
+	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + 
+				RNDUP(oa->oa_length)))
+             return (FALSE);
+
 	buf = (int32_t *)(void *)rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
 	IXDR_PUT_ENUM(buf, msg->rm_direction);
@@ -362,7 +371,6 @@
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {