diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index 2f08f3727..d2855e32f 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
 					if (!isxdigit(*cbp))
 						goto bad;
 					h->chunk_size = strtoul(cbp, NULL, 16);
+					if (h->chunk_size < 0 ||
+					    h->chunk_size > h->max_bytes) {
+						wpa_printf(MSG_DEBUG,
+							   "httpread: Invalid chunk size %d",
+							   h->chunk_size);
+						goto bad;
+					}
 					/* throw away chunk header
 					 * so we have only real data
 					 */