diff --git a/src/internal.c b/src/internal.c
index 2c1925a96..d746988fc 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -17397,6 +17397,10 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
 
         /* the record layer is here */
         case runProcessingOneMessage:
+            /* can't process a message if we have no data.  */
+            if (ssl->buffers.inputBuffer.idx
+                >= ssl->buffers.inputBuffer.length)
+                return BUFFER_ERROR;
 
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
             if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) {
@@ -17709,8 +17713,12 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
                         return ret;
 
                     /* catch warnings that are handled as errors */
-                    if (type == close_notify)
+                    if (type == close_notify) {
+                        ssl->buffers.inputBuffer.idx =
+                            ssl->buffers.inputBuffer.length;
+                        ssl->options.processReply = doProcessInit;
                         return ssl->error = ZERO_RETURN;
+                    }
 
                     if (type == decrypt_error)
                         return FATAL_ERROR;