Jeff, I thought about this a bit and I believe the fundamental problem is actually with the WM_INITDLG code in lsh_pwd.c. The problem is that the code checks only for two known structure sizes: the original 2.5 size (V1) and the larger 2.6 size (V2). The code should in fact check that the size is at least the V1 structure size or at least the V2 structure size. Consider the problem where the structure gets resized in a future patch. Someone cannot write client code which will work with the new clients and old. If a size larger than required is passed to the API, it should happily take the structure and ignore members it does not know about. The first check should read: if (lpdi->size < LSH_DLGINFO_EX_V1_SZ || lpdi->dlgtype != DLGTYPE_PASSWD) { MessageBox(hDialog, "An incorrect initialization data structure was provided.", "AuthenticateProc()", MB_OK | MB_ICONSTOP); return FALSE; } // Then, the check should be if ( lpdi->size >= sizeof(LSH_DLGINFO_EX) ) { // Access the V2 members safely } If the structure size is large enough to contain the new members, then do what you need to. Comments? Pierre > -----Original Message----- > From: Unprivileged W User,,,, [mailto:www@MIT.EDU] On Behalf > Of Jeffrey Altman via RT > Sent: Monday, July 05, 2004 11:00 PM > To: Pierre Goyette > Subject: [krbdev.mit.edu #2622] Problem with LSH_DLGINFO_EX_V1_SZ > > Actually, why would an application ever be using this value? > > This #define is the value of the old data structure size, not > the new size. Programmers should never be setting the size > to that value. > Programmers should always be setting the size to sizeof(struct ...) > > I am just going to correct the definition. >