diff --git a/modules/proto_smpp/smpp.c b/modules/proto_smpp/smpp.c
index adee05aec2c..0f244f1ea17 100644
--- a/modules/proto_smpp/smpp.c
+++ b/modules/proto_smpp/smpp.c
@@ -1000,6 +1000,12 @@ static void parse_submit_or_deliver_body(smpp_submit_sm_t *body, smpp_header_t *
 	body->data_coding = *p++;
 	body->sm_default_msg_id = *p++;
 	body->sm_length = *p++;
+	if (body->sm_length > MAX_SMS_CHARACTERS) {
+		LM_ERR("invalid short_message length %u (max %u)\n",
+			body->sm_length, MAX_SMS_CHARACTERS);
+		body->sm_length = 0;
+		return;
+	}
 	copy_fixed_str(body->short_message, p, body->sm_length);
 }
 
@@ -1572,6 +1578,14 @@ static int recv_smpp_msg(smpp_header_t *header, smpp_deliver_sm_t *body,
 	else
 		init_str(&hdr, "Content-Type:text/plain\r\n");
 
+	if (body->sm_length > MAX_SMS_CHARACTERS) {
+		LM_ERR("invalid short_message length %u (max %u)\n",
+			body->sm_length, MAX_SMS_CHARACTERS);
+		pkg_free(src.s);
+		pkg_free(dst.s);
+		return -1;
+	}
+
 	if (body->data_coding == SMPP_CODING_UCS2) {
 		memset(sms_body,0,2*MAX_SMS_CHARACTERS);
 		body_str.len = string2hex((char *)body->short_message,