diff --git a/src/auth/ktc.c b/src/auth/ktc.c
index 002f53bb5d..6853b0fc0a 100644
--- a/src/auth/ktc.c
+++ b/src/auth/ktc.c
@@ -682,7 +682,7 @@ GetToken(struct ktc_principal *aserver, struct ktc_token *atoken,
 		/* got token for cell; check that it will fit */
 		maxLen =
 		    atokenLen - sizeof(struct ktc_token) + MAXKTCTICKETLEN;
-		if (maxLen < tktLen) {
+		if (tktLen < 0 || tktLen > maxLen) {
 		    UNLOCK_GLOBAL_MUTEX;
 		    return KTC_TOOBIG;
 		}
diff --git a/src/kauth/knfs.c b/src/kauth/knfs.c
index 628982954b..e7c257a17e 100644
--- a/src/kauth/knfs.c
+++ b/src/kauth/knfs.c
@@ -163,7 +163,7 @@ GetTokens(afs_int32 ahost, afs_int32 auid)
 		maxLen =
 		    sizeof(token) - sizeof(struct ktc_token) +
 		    MAXKTCTICKETLEN;
-		if (maxLen < tktLen)
+		if (tktLen < 0 || tktLen > maxLen)
 		    return KTC_TOOBIG;
 		memcpy(token.ticket, stp, tktLen);
 		token.startTime = ct.BeginTimestamp;