diff --git a/src/meta.c b/src/meta.c
index 1bb634fd..a3f7ef3c 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -76,7 +76,7 @@ void broadcast_meta(connection_t *from, const char *buffer, int length) {
 }
 
 bool receive_meta(connection_t *c) {
-	size_t inlen;
+	int inlen;
 	char inbuf[MAXBUFSIZE];
 	char *bufp = inbuf, *endp;
 
@@ -117,7 +117,7 @@ bool receive_meta(connection_t *c) {
 			bufp = endp;
 		} else {
 			size_t outlen = inlen;
-			ifdebug(META) logger(LOG_DEBUG, "Received encrypted %zu bytes", inlen);
+			ifdebug(META) logger(LOG_DEBUG, "Received encrypted %d bytes", inlen);
 			evbuffer_expand(c->buffer->input, c->buffer->input->off + inlen);
 
 			if(!cipher_decrypt(&c->incipher, bufp, inlen, c->buffer->input->buffer + c->buffer->input->off, &outlen, false) || inlen != outlen) {
diff --git a/src/net_packet.c b/src/net_packet.c
index df6f4826..64732d08 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -533,15 +533,18 @@ void handle_incoming_vpn_data(int sock, short events, void *data) {
 	sockaddr_t from;
 	socklen_t fromlen = sizeof from;
 	node_t *n;
+	int len;
 
-	pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
+	len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
 
-	if(pkt.len < 0) {
+	if(len <= 0 || len > MAXSIZE) {
 		if(!sockwouldblock(sockerrno))
 			logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
 		return;
 	}
 
+	pkt.len = len;
+
 	sockaddrunmap(&from);		/* Some braindead IPv6 implementations do stupid things. */
 
 	n = lookup_node_udp(&from);