> @@ -1176,6 +1198,9 @@ > goto error; > } > > + if (a_reply->length < 2 || a_state->length < 2) > + goto error; > + > memcpy(challenge, a_reply->data, a_reply->length - 2); > challenge[a_reply->length - 2] = 0; > What's this bit about? Doesn't the length check done just above this addition make this superfluous? -frank