diff --git a/include/proto/proto_http.h b/include/proto/proto_http.h
index 1b6284b4e..c49cb4ef3 100644
--- a/include/proto/proto_http.h
+++ b/include/proto/proto_http.h
@@ -130,6 +130,22 @@ enum http_meth_t find_http_meth(const char *str, const int len);
 		(msg)->eoh += (_bytes);		\
 	} while (0)
 
+
+/* Return the maximum amount of bytes that may be read after the beginning of
+ * the message body, according to the advertised length. The function is safe
+ * for use between HTTP_MSG_BODY and HTTP_MSG_DATA regardless of whether the
+ * headers were already forwarded or not.
+ */
+static inline int http_body_bytes(const struct http_msg *msg)
+{
+	int len;
+
+	len = buffer_len(msg->chn->buf) - msg->sov - msg->sol;
+	if (len > msg->body_len)
+		len = msg->body_len;
+	return len;
+}
+
 /* for debugging, reports the HTTP message state name */
 static inline const char *http_msg_state_str(int msg_state)
 {
diff --git a/src/backend.c b/src/backend.c
index 17e4b7fcb..e40b56082 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -298,14 +298,11 @@ struct server *get_server_ph_post(struct session *s)
 	struct http_msg *msg  = &txn->req;
 	struct proxy    *px   = s->be;
 	unsigned int     plen = px->url_param_len;
-	unsigned long    len  = msg->body_len;
+	unsigned long    len  = http_body_bytes(msg);
 	const char      *params = b_ptr(req->buf, (int)(msg->sov + msg->sol - req->buf->o));
 	const char      *p    = params;
 	const char      *start, *end;
 
-	if (len > buffer_len(req->buf) - msg->sov - msg->sol)
-		len = buffer_len(req->buf) - msg->sov - msg->sol;
-
 	if (len == 0)
 		return NULL;