1 files changed, 18 insertions, 5 deletions

diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c
index 8c47d0f..4b304af 100644
--- a/src/lib/gssapi/krb5/wrap_size_limit.c
+++ b/src/lib/gssapi/krb5/wrap_size_limit.c
@@ -39,8 +39,9 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
 {
     krb5_context	context;
     krb5_gss_ctx_id_rec	*ctx;
-    OM_uint32		cfsize;
     OM_uint32		ohlen;
+    OM_uint32		data_size, conflen;
+    int			overhead;
 
     if (GSS_ERROR(kg_get_context(minor_status, &context)))
        return(GSS_S_FAILURE);
@@ -64,12 +65,24 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
     }
 
     /* Calculate the token size and subtract that from the output size */
-    cfsize = (conf_req_flag) ? kg_confounder_size(&ctx->enc) : 0;
+    overhead = 7 + ctx->mech_used->length;
+    data_size = req_output_size;
+    if (conf_req_flag) {
+	    conflen = kg_confounder_size(&ctx->enc);
+	    data_size = (conflen + data_size + 8) & (~7);
+    }
     ohlen = g_token_size((gss_OID) ctx->mech_used,
-			 (unsigned int) cfsize + ctx->cksum_size + 14);
+			 (unsigned int) (data_size + ctx->cksum_size + 14))
+	    - req_output_size;
 
-    /* Cannot have trailer length that will cause us to pad over our length */
-    *max_input_size = (req_output_size - ohlen) & (~7);
+    if (ohlen+overhead < req_output_size)
+	    /*
+	     * Cannot have trailer length that will cause us to pad over
+	     * our length
+	     */
+ 	    *max_input_size = (req_output_size - ohlen - overhead) & (~7);
+    else
+	    *max_input_size = 0;
     *minor_status = 0;
     return(GSS_S_COMPLETE);
 }