diff --git a/src/tls.c b/src/tls.c
index caa5a7634..ebbd9f4c1 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -11049,7 +11049,7 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
         ato16(input + offset, &size);
         offset += OPAQUE16_LEN;
 
-        if (offset + size > length)
+        if (length - offset < size)
             return BUFFER_ERROR;
 
         switch (type) {