diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 562f632a9..2ee46f96f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -526,6 +526,12 @@ int ssl_derive_keys( ssl_context *ssl )
                    transform->keylen, transform->minlen, transform->ivlen,
                    transform->maclen ) );
 
+    if( transform->maclen > sizeof transform->mac_enc )
+    {
+        SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
     /*
      * Finally setup the cipher contexts, IVs and MAC secrets.
      */