--- /dev/null
+--- cyrus-sasl-1.5.24/plugins/gssapi.c Wed Dec 6 11:39:51 2000
++++ cyrus-sasl-1.5.24/plugins/gssapi.c Wed Dec 6 11:42:31 2000
+@@ -1241,9 +1241,18 @@
+ return SASL_BADPARAM;
+ }
+
+- /* need bits of layer */
+- allowed = secprops.max_ssf - external;
+- need = secprops.min_ssf - external;
++ /* need bits of layer -- sasl_ssf_t is unsigned so be careful */
++ if(secprops.max_ssf >= external) {
++ allowed = secprops.max_ssf - external;
++ } else {
++ allowed = 0;
++ }
++ if(secprops.min_ssf >= external) {
++ need = secprops.min_ssf - external;
++ } else {
++ /* good to go */
++ need = 0;
++ }
+ serverhas = ((char *)output_token->value)[0];
+
+ /* if client didn't set use strongest layer available */