diff --git a/src/sniffer.c b/src/sniffer.c
index 4c02680ac..65c3e825c 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -253,7 +253,8 @@ static const char* const msgTable[] =
     /* 86 */
     "Watch callback not set",
     "Watch hash failed",
-    "Watch callback failed"
+    "Watch callback failed",
+    "Bad Certificate Message"
 };
 
 
@@ -2320,8 +2321,6 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
     int ret;
     byte digest[SHA256_DIGEST_SIZE];
 
-    (void)sslBytes;
-
     /* If the receiver is the server, this is the client certificate message,
      * and it should be ignored at this point. */
     if (session->flags.side == WOLFSSL_SERVER_END)
@@ -2332,11 +2331,28 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
         return -1;
     }
 
+    if (*sslBytes < CERT_HEADER_SZ) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
     ato24(input, &certChainSz);
+    *sslBytes -= CERT_HEADER_SZ;
     input += CERT_HEADER_SZ;
+
+    if (*sslBytes < (int)certChainSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
     certChain = input;
+
     ato24(input, &certSz);
     input += OPAQUE24_LEN;
+    if (*sslBytes < (int)certSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
+
+    *sslBytes -= certChainSz;
 
     ret = wc_InitSha256(&sha);
     if (ret == 0)
diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c
index e2e7495d1..69757b7e4 100644
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -189,13 +189,13 @@ const byte eccHash[] = {
 
 static int myWatchCb(void* vSniffer,
         const unsigned char* certHash, unsigned int certHashSz,
-        const unsigned char* cert, unsigned int certSz,
+        const unsigned char* certChain, unsigned int certChainSz,
         void* ctx, char* error)
 {
     const char* certName = NULL;
 
-    (void)cert;
-    (void)certSz;
+    (void)certChain;
+    (void)certChainSz;
     (void)ctx;
 
     if (certHashSz == sizeof(rsaHash) &&
diff --git a/wolfssl/sniffer_error.h b/wolfssl/sniffer_error.h
index 844f278a0..e3bc38b78 100644
--- a/wolfssl/sniffer_error.h
+++ b/wolfssl/sniffer_error.h
@@ -124,6 +124,7 @@
 #define WATCH_CB_MISSING_STR 86
 #define WATCH_HASH_STR 87
 #define WATCH_FAIL_STR 88
+#define BAD_CERT_MSG_STR 89
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */
 
 
diff --git a/wolfssl/sniffer_error.rc b/wolfssl/sniffer_error.rc
index 58fb365e4..336cf33e8 100644
--- a/wolfssl/sniffer_error.rc
+++ b/wolfssl/sniffer_error.rc
@@ -106,5 +106,6 @@ STRINGTABLE
     86, "Watch callback not set"
     87, "Watch hash failed"
     88, "Watch callback failed"
+    89, "Bad Certificate Message"
 }