diff --git a/src/dns.c b/src/dns.c
index fead2613a..c1396f525 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -810,6 +810,11 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
 		/* Move forward 2 bytes for data len */
 		reader += 2;
 
+		if (reader + dns_answer_record->data_len >= bufend) {
+			pool_free(dns_answer_item_pool, dns_answer_record);
+			return DNS_RESP_INVALID;
+		}
+
 		/* Analyzing record content */
 		switch (dns_answer_record->type) {
 			case DNS_RTYPE_A: