diff --git a/ChangeLog b/ChangeLog
index dd04b1d63..683a02824 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,9 @@ Changes
      Alex Hixon.
    * Allow configuring the shared library extension by setting the DLEXT
      environment variable when using the project makefiles.
+   * Verify that when (f_send, f_recv and f_recv_timeout) send or receive
+     more than the required length an error is returned. Raised by
+     Sam O'Connor in #1245.
 
 = mbed TLS 2.1.11 branch released 2018-03-16
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4f0392a95..3462490ca 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2413,6 +2413,14 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
             if( ret < 0 )
                 return( ret );
 
+            if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "f_recv returned %d bytes but only %lu were requested",
+                    ret, (unsigned long)len ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
             ssl->in_left += ret;
         }
     }
@@ -2460,6 +2468,14 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
         if( ret <= 0 )
             return( ret );
 
+        if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "f_send returned %d bytes but only %lu bytes were sent",
+                ret, (unsigned long)ssl->out_left ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
         ssl->out_left -= ret;
     }