diff --git a/src/internal.c b/src/internal.c
index c4464a3e2..378ca1d8d 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -21178,6 +21178,9 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
     }
 
     ato16(input + args->idx, &length);
+    if (length < MIN_DHKEY_SZ || length > MAX_DHKEY_SZ) {
+        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
+    }
     args->idx += OPAQUE16_LEN;
 
     if ((args->idx - args->begin) + length > size) {
@@ -21219,6 +21222,12 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
     }
 
     ato16(input + args->idx, &length);
+    if (length > MAX_DHKEY_SZ) {
+        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
+                DYNAMIC_TYPE_PUBLIC_KEY);
+        ssl->buffers.serverDH_P.buffer = NULL;
+        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
+    }
     args->idx += OPAQUE16_LEN;
 
     if ((args->idx - args->begin) + length > size) {
@@ -21256,6 +21265,16 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
     }
 
     ato16(input + args->idx, &length);
+    if (length < MIN_DHKEY_SZ || length > MAX_DHKEY_SZ) {
+        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
+                DYNAMIC_TYPE_PUBLIC_KEY);
+        ssl->buffers.serverDH_P.buffer = NULL;
+        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
+                DYNAMIC_TYPE_PUBLIC_KEY);
+        ssl->buffers.serverDH_G.buffer = NULL;
+        ERROR_OUT(BUFFER_ERROR, exit_gdpk);
+        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
+    }
     args->idx += OPAQUE16_LEN;
 
     if ((args->idx - args->begin) + length > size) {