diff --git a/krb5-1.6.1-get_opt_fixup.patch b/krb5-1.6.1-get_opt_fixup.patch
new file mode 100644
index 0000000..a1880e0
--- /dev/null
+++ b/krb5-1.6.1-get_opt_fixup.patch
@@ -0,0 +1,41 @@
+Index: src/include/k5-int.h
+===================================================================
+--- src/include/k5-int.h	(revision 19537)
++++ src/include/k5-int.h	(revision 19538)
+@@ -1048,9 +1048,9 @@
+ #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
+ 
+ #define krb5_gic_opt_is_extended(s) \
+-    (((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
++    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
+ #define krb5_gic_opt_is_shadowed(s) \
+-    (((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
++    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
+ 
+ 
+ typedef struct _krb5_gic_opt_private {
+Index: src/lib/krb5/krb/gic_opt.c
+===================================================================
+--- src/lib/krb5/krb/gic_opt.c	(revision 19537)
++++ src/lib/krb5/krb/gic_opt.c	(revision 19538)
+@@ -206,8 +206,18 @@
+     oe = krb5int_gic_opte_alloc(context);
+     if (NULL == oe)
+ 	return ENOMEM;
+-    memcpy(oe, opt, sizeof(*opt));
+-    /* Fix these -- overwritten by the copy */
++
++    if (opt)
++        memcpy(oe, opt, sizeof(*opt));
++
++    /*
++     * Fix the flags -- the EXTENDED flag would have been
++     * overwritten by the copy if there was one.  The
++     * SHADOWED flag is necessary to ensure that the
++     * krb5_gic_opt_ext structure that was allocated
++     * here will be freed by the library because the
++     * application is unaware of its existence.
++     */
+     oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED |
+ 		   KRB5_GET_INIT_CREDS_OPT_SHADOWED);
+