diff --git a/src/quic.c b/src/quic.c
index 02622a7e4..f9e3b4c57 100644
--- a/src/quic.c
+++ b/src/quic.c
@@ -129,6 +129,13 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
         consumed = missing;
 
         qr->len = qr_length(qr->data, qr->end);
+
+        /* sanity check on length read from wire before use */
+        if (qr->len > (len + qr->capacity)) {
+            ret = BUFFER_E;
+            goto cleanup;
+        }
+
         if (qr->len > qr->capacity) {
             uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
                                                 DYNAMIC_TYPE_TMP_BUFFER);