if ((ch & 0xC0) != 0x80) {
                    throw new IOException("Invalid UTF-8 sequence");
                }
                uni[ui] |= (ch & 0x3F) << 6;
                ch = src[si++] & 0xFF;
                uni[ui] |= ch & 0x3F;
                if ((ch & 0xC0) != 0x80 || uni[ui] < 0x800) {
                    throw new IOException("Invalid UTF-8 sequence");
                }
            } else {

        Type2Message type2Message;
        try {
            type2Message = new Type2Message(Base64.getDecoder().decode(challenge));
        } catch (final IOException exception) {
            throw new NTLMEngineException("Invalid NTLM type 2 message", exception);
        }
        final int type2Flags = type2Message.getFlags();

// very first conversation step) and attempts to move the authentication
// conversation forward.  It returns a string to be sent to the server or an
// error if the server message is invalid.  Calling Step after a conversation
// completes is also an error.
func (x *XDGSCRAMClient) Step(challenge string) (response string, err error) {
	response, err = x.ClientConversation.Step(challenge)
	return response, err
}

        void testDecodeHeaderThrowsNdrExceptionForRpcVersion() {
            when(mockBuffer.dec_ndr_small()).thenReturn(4); // Incorrect RPC version
            assertThrows(NdrException.class, () -> message.decode_header(mockBuffer));
        }

        @Test
        @DisplayName("decode_header should throw NdrException for invalid minor RPC version")

    }

    @Test
    @DisplayName("Test verify method with invalid signature")
    void testVerifyWithInvalidSignature() {
        SMB1SigningDigest digest = new SMB1SigningDigest(testMacSigningKey);
        byte[] data = new byte[100];

        // Set invalid signature
        for (int i = 0; i < 8; i++) {
            data[SmbConstants.SIGNATURE_OFFSET + i] = (byte) 0xFF;

                final String pathPrefix = ADMIN_SERVER + token;
                if (!servletPath.startsWith(pathPrefix)) {
                    throw new WebApiException(HttpServletResponse.SC_FORBIDDEN, "Invalid access token.");
                }
                final String path;
                final String value = servletPath.substring(pathPrefix.length());
                if (!value.startsWith("/")) {

            throw new IllegalArgumentException("Master password cannot be null or empty");
        }
        if (salt == null || salt.length != SALT_SIZE) {
            throw new IllegalArgumentException("Invalid salt");
        }

        this.salt = salt.clone();
        this.masterKey = deriveKey(masterPassword, this.salt);

        // Clear the master password after use
        Arrays.fill(masterPassword, '\0');

OkHttp is principled and avoids being overly configurable, especially when such configuration is
to workaround a buggy server, test invalid scenarios or that contradict the relevant RFC.
Other HTTP libraries exist that fill that gap allowing extensive customisation including potentially
invalid requests.

Example Limitations

* Does not allow GET with a body.
* Cache is not an interface with alternative implementations.

  return false
}

internal fun String.containsInvalidHostnameAsciiCodes(): Boolean {
  for (i in 0 until length) {
    val c = this[i]
    // The WHATWG Host parsing rules accepts some character codes which are invalid by
    // definition for OkHttp's host header checks (and the WHATWG Host syntax definition). Here
    // we rule out characters that would cause problems in host headers.
    if (c <= '\u001f' || c >= '\u007f') {

        assertThrows(PACDecodingException.class, () -> new KerberosToken(wrongOidToken));
    }

    /**
     * Test constructor with a malformed Kerberos token (invalid inner structure).
     *
     * @throws IOException if an I/O error occurs
     */
    @Test
    void testConstructorWithMalformedKerberosToken() throws IOException {