diff --git a/ChangeLog b/ChangeLog
index 2af6cf246..dbbc19cea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -65,6 +65,9 @@ Changes
      environment variable when using the project makefiles.
    * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
      by Alexey Skalozub in #405.
+   * In the SSL module, when f_send, f_recv or f_recv_timeout report
+     transmitting more than the required length, return an error. Raised by
+     Sam O'Connor in #1245.
 
 = mbed TLS 2.8.0 branch released 2018-03-16
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3802e230e..eabf3418c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2434,6 +2434,14 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
             if( ret < 0 )
                 return( ret );
 
+            if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, 
+                    ( "f_recv returned %d bytes but only %lu were requested", 
+                    ret, (unsigned long)len ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
             ssl->in_left += ret;
         }
     }
@@ -2481,6 +2489,14 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
         if( ret <= 0 )
             return( ret );
 
+        if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, 
+                ( "f_send returned %d bytes but only %lu bytes were sent", 
+                ret, (unsigned long)ssl->out_left ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
         ssl->out_left -= ret;
     }