diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 9430d1cebe56..779d51075e3d 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -2080,11 +2080,14 @@ ovpn_peer_from_mbuf(struct ovpn_softc *sc, struct mbuf *m, int off)
 {
 	struct ovpn_wire_header ohdr;
 	uint32_t peerid;
+	const size_t hdrlen = sizeof(ohdr) - sizeof(ohdr.auth_tag);
 
 	OVPN_RASSERT(sc);
 
-	m_copydata(m, off + sizeof(struct udphdr),
-	    sizeof(ohdr) - sizeof(ohdr.auth_tag), (caddr_t)&ohdr);
+	if (m_length(m, NULL) < (off + sizeof(struct udphdr) + hdrlen))
+		return (NULL);
+
+	m_copydata(m, off + sizeof(struct udphdr), hdrlen, (caddr_t)&ohdr);
 
 	peerid = ntohl(ohdr.opcode) & 0x00ffffff;
 
diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index fb32e3ed1895..faf21d5669b1 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -91,6 +91,7 @@ atf_test_case "4in4" "cleanup"
 	# Give the tunnel time to come up
 	sleep 10
 
+	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
 	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
 }