diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h
index 73ff32b66..4d2917ee9 100644
--- a/include/mbedtls/asn1write.h
+++ b/include/mbedtls/asn1write.h
@@ -40,6 +40,8 @@ extern "C" {
  * \param start     start of the buffer (for bounds-checking)
  * \param len       the length to write
  *
+ * \note            lengths over 65535 are not supported at the moment
+ *
  * \return          the length written or a negative error code
  */
 int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len );
diff --git a/library/asn1write.c b/library/asn1write.c
index 027c858e7..ef35ee438 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -41,6 +41,11 @@
 
 int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len )
 {
+    // We don't support lengths over 65535 for now
+    //
+    if( len > 0xFFFF )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
     if( len < 0x80 )
     {
         if( *p - start < 1 )
@@ -63,8 +68,6 @@ int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len
     if( *p - start < 3 )
         return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
-    // We assume we never have lengths larger than 65535 bytes
-    //
     *--(*p) = len % 256;
     *--(*p) = ( len / 256 ) % 256;
     *--(*p) = 0x82;