diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3e0552c4e..a9c099c1f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5109,6 +5109,9 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
     rec->buf     = buf;
     rec->buf_len = rec->data_offset + rec->data_len;
 
+    if( rec->data_len == 0 )
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+
     /*
      * DTLS-related tests.
      * Check epoch before checking length constraint because