diff --git a/ss5/modules/mod_socks4/SS5Mod_socks4.c b/ss5/modules/mod_socks4/SS5Mod_socks4.c
index 3151df4..b9cb292 100644
--- a/ss5/modules/mod_socks4/SS5Mod_socks4.c
+++ b/ss5/modules/mod_socks4/SS5Mod_socks4.c
@@ -44,7 +44,8 @@ S5RetCode RequestParsing(struct _SS5AuthInfo *ai, struct _SS5MethodInfo *mi, str
   memcpy(sd->TcpRequest,sd->MethodRequest,sd->MethodBytesReceived);
 
   ri->Ver=mi->Ver;
-  ri->Cmd=(unsigned char)sd->TcpRequest[1];
+  if( (ri->Cmd=(unsigned char)sd->TcpRequest[1]) > 3  || ri->Cmd < 1)
+    return ERR;
 
   if( !(unsigned char)sd->TcpRequest[4] && !(unsigned char)sd->TcpRequest[5] && !(unsigned char)sd->TcpRequest[6] && (unsigned char)sd->TcpRequest[7] ) {
       /*
diff --git a/ss5/modules/mod_socks5/SS5Mod_socks5.c b/ss5/modules/mod_socks5/SS5Mod_socks5.c
index 402cd64..f3b4d03 100644
--- a/ss5/modules/mod_socks5/SS5Mod_socks5.c
+++ b/ss5/modules/mod_socks5/SS5Mod_socks5.c
@@ -153,7 +153,8 @@ S5RetCode RequestParsing(struct _SS5ClientInfo *ci, struct _SS5Socks5Data *sd, s
   }
 
   ri->Ver=(unsigned char)sd->TcpRequest[0];
-  ri->Cmd=(unsigned char)sd->TcpRequest[1];
+  if( (ri->Cmd=(unsigned char)sd->TcpRequest[1]) > 3 || ri->Cmd < 1)
+    return ERR;
 
   switch( sd->TcpRequest[3] ) {
     case IPV4: