--- cyrus-sasl-1.5.24/plugins/gssapi.c	Wed Dec  6 11:39:51 2000
+++ cyrus-sasl-1.5.24/plugins/gssapi.c	Wed Dec  6 11:42:31 2000
@@ -1241,9 +1241,18 @@
 	    return SASL_BADPARAM;
 	}
 
-	/* need bits of layer */
-	allowed = secprops.max_ssf - external;
-	need = secprops.min_ssf - external;
+	/* need bits of layer -- sasl_ssf_t is unsigned so be careful */
+	if(secprops.max_ssf >= external) {
+		allowed = secprops.max_ssf - external;
+	} else {
+		allowed = 0;
+	}
+	if(secprops.min_ssf >= external) {
+		need = secprops.min_ssf - external;
+	} else {
+		/* good to go */
+		need = 0;
+	}
 	serverhas = ((char *)output_token->value)[0];
 
 	/* if client didn't set use strongest layer available */