diff --git a/components/wpa_supplicant/src/tls/tlsv1_client_read.c b/components/wpa_supplicant/src/tls/tlsv1_client_read.c
index 9eac82f16e..3394873655 100644
--- a/components/wpa_supplicant/src/tls/tlsv1_client_read.c
+++ b/components/wpa_supplicant/src/tls/tlsv1_client_read.c
@@ -776,7 +776,8 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 			hlen = tls_key_x_server_params_hash(
 				conn->rl.tls_version, conn->client_random,
 				conn->server_random, server_params,
-				server_params_end - server_params, hash);
+				server_params_end - server_params, hash,
+				sizeof(hash));
 		}
 
 		if (hlen < 0)
diff --git a/components/wpa_supplicant/src/tls/tlsv1_common.c b/components/wpa_supplicant/src/tls/tlsv1_common.c
index 06c9640c8d..933c2df9c6 100644
--- a/components/wpa_supplicant/src/tls/tlsv1_common.c
+++ b/components/wpa_supplicant/src/tls/tlsv1_common.c
@@ -380,7 +380,7 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
 				 const u8 *server_random,
 				 const u8 *server_params,
-				 size_t server_params_len, u8 *hash)
+				 size_t server_params_len, u8 *hash, size_t hsz)
 {
 	u8 *hpos;
 	size_t hlen;
@@ -395,6 +395,8 @@ int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
 	crypto_hash_update(ctx, server_params, server_params_len);
 	hlen = MD5_MAC_LEN;
+	if (hsz < hlen)
+		return -1;
 	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
 		return -1;
 	hpos += hlen;
@@ -405,7 +407,7 @@ int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
 	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
 	crypto_hash_update(ctx, server_params, server_params_len);
-	hlen = hash + sizeof(hash) - hpos;
+	hlen = hsz - hlen;
 	if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
 		return -1;
 	hpos += hlen;
diff --git a/components/wpa_supplicant/src/tls/tlsv1_common.h b/components/wpa_supplicant/src/tls/tlsv1_common.h
index e30b15a030..4cfdc2d551 100644
--- a/components/wpa_supplicant/src/tls/tlsv1_common.h
+++ b/components/wpa_supplicant/src/tls/tlsv1_common.h
@@ -267,7 +267,8 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_Alg,
 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
 				 const u8 *server_random,
 				 const u8 *server_params,
-				 size_t server_params_len, u8 *hash);
+				 size_t server_params_len,
+				 u8 *hash, size_t hsz);
 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
 			 const u8 *data, size_t data_len,
 			 const u8 *pos, size_t len, u8 *alert);
diff --git a/components/wpa_supplicant/src/tls/tlsv1_server_write.c b/components/wpa_supplicant/src/tls/tlsv1_server_write.c
index 8d36cf1353..545abae2ba 100644
--- a/components/wpa_supplicant/src/tls/tlsv1_server_write.c
+++ b/components/wpa_supplicant/src/tls/tlsv1_server_write.c
@@ -620,7 +620,7 @@ static int tls_write_server_key_exchange(struct tlsv1_server *conn,
 			hlen = tls_key_x_server_params_hash(
 				conn->rl.tls_version, conn->client_random,
 				conn->server_random, server_params,
-				pos - server_params, hash);
+				pos - server_params, hash, sizeof(hash));
 		}
 
 		if (hlen < 0) {