diff --git a/hw/application_fpga/fw/tk1/main.c b/hw/application_fpga/fw/tk1/main.c
index 5bfbb53..67fc5a6 100644
--- a/hw/application_fpga/fw/tk1/main.c
+++ b/hw/application_fpga/fw/tk1/main.c
@@ -244,7 +244,11 @@ int main()
 
 		memset(cmd, 0, CMDLEN_MAXBYTES);
 		// Now we know the size of the cmd frame, read it all
-		read(cmd, hdr.len);
+		if (read(cmd, CMDLEN_MAXBYTES, hdr.len) != 0) {
+			htif_puts("read: buffer overrun\n");
+			forever_redflash();
+			// Not reached
+		}
 
 		// Is it for us?
 		if (hdr.endpoint != DST_FW) {
diff --git a/hw/application_fpga/fw/tk1/proto.c b/hw/application_fpga/fw/tk1/proto.c
index 377348c..6c9e18a 100644
--- a/hw/application_fpga/fw/tk1/proto.c
+++ b/hw/application_fpga/fw/tk1/proto.c
@@ -148,9 +148,15 @@ uint8_t readbyte_ledflash(int ledvalue, int loopcount)
 	}
 }
 
-void read(uint8_t *buf, size_t nbytes)
+int read(uint8_t *buf, size_t bufsize, size_t nbytes)
 {
+	if (nbytes > bufsize) {
+		return -1;
+	}
+
 	for (int n = 0; n < nbytes; n++) {
 		buf[n] = readbyte();
 	}
+
+	return 0;
 }
diff --git a/hw/application_fpga/fw/tk1/proto.h b/hw/application_fpga/fw/tk1/proto.h
index 9660877..7203d46 100644
--- a/hw/application_fpga/fw/tk1/proto.h
+++ b/hw/application_fpga/fw/tk1/proto.h
@@ -56,6 +56,6 @@ void writebyte(uint8_t b);
 void write(uint8_t *buf, size_t nbytes);
 uint8_t readbyte();
 uint8_t readbyte_ledflash(int ledvalue, int loopcount);
-void read(uint8_t *buf, size_t nbytes);
+int read(uint8_t *buf, size_t bufsize, size_t nbytes);
 
 #endif