*** src/lib/kadm5/srv/svr_policy.c	(revision 20254)
--- src/lib/kadm5/srv/svr_policy.c	(local)
***************
*** 211,218 ****
      if((mask & KADM5_POLICY))
  	return KADM5_BAD_MASK;
  		
!     ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
!     if( ret && (cnt==0) )
  	return KADM5_UNK_POLICY;
  
      if ((mask & KADM5_PW_MAX_LIFE))
--- 211,219 ----
      if((mask & KADM5_POLICY))
  	return KADM5_BAD_MASK;
  		
!     if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
! 	return ret;
!     if (cnt != 1)
  	return KADM5_UNK_POLICY;
  
      if ((mask & KADM5_PW_MAX_LIFE))
*** src/lib/rpc/svc_auth_gss.c	(revision 20474)
--- src/lib/rpc/svc_auth_gss.c	(local)
***************
*** 355,360 ****
--- 355,369 ----
  	memset(rpchdr, 0, sizeof(rpchdr));
  
  	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+ 	oa = &msg->rm_call.cb_cred;
+ 	if (oa->oa_length > MAX_AUTH_BYTES)
+ 		return (FALSE);
+ 
+ 	/* 8 XDR units from the IXDR macro calls. */
+ 	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+ 			      RNDUP(oa->oa_length)))
+ 		return (FALSE);
+ 
  	buf = (int32_t *)(void *)rpchdr;
  	IXDR_PUT_LONG(buf, msg->rm_xid);
  	IXDR_PUT_ENUM(buf, msg->rm_direction);
***************
*** 362,368 ****
  	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
  	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
  	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
- 	oa = &msg->rm_call.cb_cred;
  	IXDR_PUT_ENUM(buf, oa->oa_flavor);
  	IXDR_PUT_LONG(buf, oa->oa_length);
  	if (oa->oa_length) {
--- 371,376 ----