diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4d6fc9583..135caa0ca 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4987,6 +4987,13 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
     {
         unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
 
+        /* Check that the datagram is large enough to contain a record
+         * of the advertised length. */
+        if( ssl->in_left < mbedtls_ssl_in_hdr_len( ssl ) + ssl->in_msglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram too small to contain record." ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
         if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
         {
             /* Consider buffering the record. */
@@ -5970,21 +5977,9 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
         }
     }
 
-    /*
-     * Make sure the entire record contents are available.
-     *
-     * In TLS, this means fetching them from the underlying transport.
-     * In DTLS, it means checking that the incoming datagram is large enough.
-     */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
     {
-        if( ssl->in_left < mbedtls_ssl_in_hdr_len( ssl ) + ssl->in_msglen )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram too small to contain record." ) );
-            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-        }
-
         /* Remember offset of next record within datagram. */
         ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_in_hdr_len( ssl );
         if( ssl->next_record_offset < ssl->in_left )
@@ -5995,6 +5990,9 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
     else
 #endif
     {
+        /*
+         * Fetch record contents from underlying transport.
+         */
         ret = mbedtls_ssl_fetch_input( ssl,
                               mbedtls_ssl_in_hdr_len( ssl ) + ssl->in_msglen );
         if( ret != 0 )