diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index f9e1a1770b..d1801be669 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -278,6 +278,9 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
     uint16_t extensions_len = input[0] << 8 | input[1];
     input += 2;
 
+    if (!(HAS_SPACE(extensions_len)))
+        goto invalid_length;
+
     uint16_t processed_len = 0;
     while (processed_len < extensions_len)
     {