diff --git a/libfprint/drivers/upekts.c b/libfprint/drivers/upekts.c
index c9a8a2e..e6fac76 100644
--- a/libfprint/drivers/upekts.c
+++ b/libfprint/drivers/upekts.c
@@ -235,12 +235,19 @@ __handle_incoming_msg (FpDevice             *device,
 {
   GError *error = NULL;
   guint8 *buf = udata->buffer;
-  guint16 len = ((buf[5] & 0xf) << 8) | buf[6];
-  guint16 computed_crc = udf_crc (buf + 4, len + 3);
-  guint16 msg_crc = (buf[len + 8] << 8) | buf[len + 7];
+  guint16 len;
+  guint16 computed_crc;
+  guint16 msg_crc;
   unsigned char *retdata = NULL;
   unsigned char code_a, code_b;
 
+  g_assert (udata->buflen >= 6);
+  len = ((buf[5] & 0xf) << 8) | buf[6];
+
+  g_assert (udata->buflen >= len + 9);
+  computed_crc = udf_crc (buf + 4, len + 3);
+  msg_crc = (buf[len + 8] << 8) | buf[len + 7];
+
   if (computed_crc != msg_crc)
     {
       fp_err ("CRC failed, got %04x expected %04x", msg_crc, computed_crc);