diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 4eb6bf0ee4..5c397d153e 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -27,9 +27,6 @@
 * Various Cyrus SASL related stuff.
 */
 
-#define SASL_MAX_BUFF_SIZE	65536
-#define SASL_MIN_BUFF_SIZE	4096
-
 int ldap_int_sasl_init( void )
 {
 	/* XXX not threadsafe */
@@ -127,23 +124,27 @@ sb_sasl_remove( Sockbuf_IO_Desc *sbiod )
 }
 
 static ber_len_t
-sb_sasl_pkt_length( const char *buf, int debuglevel )
+sb_sasl_pkt_length( const unsigned char *buf, int debuglevel )
 {
 	ber_len_t		size;
-	long			tmp;
 
 	assert( buf != NULL );
 
-	tmp = *((long *)buf);
-	size = ntohl( tmp );
+	size = buf[0] << 24
+		| buf[1] << 16
+		| buf[2] << 8
+		| buf[3];
    
+	/* we really should check against actual buffer size set
+	 * in the secopts.
+	 */
 	if ( size > SASL_MAX_BUFF_SIZE ) {
 		/* somebody is trying to mess me up. */
 		ber_log_printf( LDAP_DEBUG_ANY, debuglevel,
 			"sb_sasl_pkt_length: received illegal packet length "
 			"of %lu bytes\n", (unsigned long)size );      
 		size = 16; /* this should lead to an error. */
-}
+	}
 
 	return size + 4; /* include the size !!! */
 }
@@ -766,6 +767,13 @@ int ldap_pvt_sasl_secprops(
 				return LDAP_NOT_SUPPORTED;
 			}
 
+			if( maxbufsize && (( maxbufsize < SASL_MIN_BUFF_SIZE )
+				|| (maxbufsize > SASL_MAX_BUFF_SIZE )))
+			{
+				/* bad maxbufsize */
+				return LDAP_PARAM_ERROR;
+			}
+
 		} else {
 			return LDAP_NOT_SUPPORTED;
 		}
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index cf49633cb9..ae70a5830e 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -409,11 +409,13 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
 	gopts->ldo_def_sasl_authcid = NULL;
 	gopts->ldo_def_sasl_authzid = NULL;
 
-	memset( &gopts->ldo_sasl_secprops, '\0', sizeof(gopts->ldo_sasl_secprops) );
+	memset( &gopts->ldo_sasl_secprops,
+		'\0', sizeof(gopts->ldo_sasl_secprops) );
 
 	gopts->ldo_sasl_secprops.max_ssf = INT_MAX;
-	gopts->ldo_sasl_secprops.maxbufsize = 65536;
-	gopts->ldo_sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
+	gopts->ldo_sasl_secprops.maxbufsize = SASL_MAX_BUFF_SIZE;
+	gopts->ldo_sasl_secprops.security_flags =
+		SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS;
 #endif
 
 #ifdef HAVE_TLS
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 1d218b8a8a..eedcf35233 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -21,6 +21,9 @@
 #ifdef HAVE_CYRUS_SASL
 	/* the need for this should be removed */
 #include <sasl.h>
+
+#define SASL_MAX_BUFF_SIZE	65536
+#define SASL_MIN_BUFF_SIZE	4096
 #endif
 
 /*