diff --git a/src/quic_token.c b/src/quic_token.c
index 4f33447dc..9c1d69cd1 100644
--- a/src/quic_token.c
+++ b/src/quic_token.c
@@ -129,6 +129,11 @@ int quic_token_check(struct quic_rx_packet *pkt,
 		goto err;
 	}
 
+	if (tokenlen != QUIC_TOKEN_LEN) {
+		TRACE_ERROR("invalid token length", QUIC_EV_CONN_LPKT, qc);
+		goto err;
+	}
+
 	/* Generate the AAD. */
 	aadlen = ipaddrcpy(aad, &dgram->saddr);
 	rand = token + tokenlen - QUIC_TOKEN_RAND_DLEN;