diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index 150873c1c..db66ae15e 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -1060,6 +1060,14 @@ int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
 		return -1;
 	if (conn->push_buf_len < out_len)
 		out_len = conn->push_buf_len;
+	else if (conn->push_buf_len > out_len) {
+		wpa_printf(MSG_INFO, "GnuTLS: Not enough buffer space for "
+			   "encrypted message (in_len=%lu push_buf_len=%lu "
+			   "out_len=%lu",
+			   (unsigned long) in_len,
+			   (unsigned long) conn->push_buf_len,
+			   (unsigned long) out_len);
+	}
 	os_memcpy(out_data, conn->push_buf, out_len);
 	os_free(conn->push_buf);
 	conn->push_buf = NULL;
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 839ceb6ad..19afb90dc 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -904,7 +904,7 @@ int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data,
 
 	if (in_data) {
 		eap_peer_tls_reset_output(data);
-		len = wpabuf_len(in_data) + 100;
+		len = wpabuf_len(in_data) + 300;
 		data->tls_out = os_malloc(len);
 		if (data->tls_out == NULL)
 			return -1;