--- tac_plus.F4.0.3.alpha.orig/packet.c       Sat Apr  3 10:03:46 1999
+++ tac_plus.F4.0.3.alpha/packet.c      Sun Nov 28 08:28:27 1999
@@ -446,6 +446,13 @@

     /* get memory for the packet */
     len = TAC_PLUS_HDR_SIZE + ntohl(hdr.datalength);
+    if ((ntohl(hdr.datalength) & ~0xffffUL) ||
+       len < TAC_PLUS_HDR_SIZE || len > 0x10000) {
+       report(LOG_ERR,
+              "%s: Illegal data size: %lu\n",
+              session.peer, ntohl(hdr.datalength));
+       return(NULL);
+    }
     pkt = (u_char *) tac_malloc(len);

     /* initialise the packet */