diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1bda53c46..938ca7a2f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2474,7 +2474,9 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
     {
         dn_size = crt->subject_raw.len;
 
-        if( end < p || (size_t)( end - p ) < 2 + dn_size )
+        if( end < p ||
+            (size_t)( end - p ) < dn_size ||
+            (size_t)( end - p ) < 2 + dn_size )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
             break;