diff --git a/lib/service.c b/lib/service.c
index 1e9f825e91630bec7ab4cdb47d57f767e0c261e2..dca214b22f832cb117a85bab5ffcc610a1ac7f1d 100644
--- a/lib/service.c
+++ b/lib/service.c
@@ -918,6 +918,9 @@ read:
 					eff_buf.token_len = LWS_MAX_SOCKET_IO_BUF;
 				}
 
+				if (eff_buf.token_len > LWS_MAX_SOCKET_IO_BUF)
+					eff_buf.token_len = LWS_MAX_SOCKET_IO_BUF;
+
 				eff_buf.token_len = lws_ssl_capable_read(wsi,
 					(unsigned char *)eff_buf.token, pending ? pending :
 					eff_buf.token_len);