diff --git a/changes/bug30041 b/changes/bug30041
new file mode 100644
index 0000000000000000000000000000000000000000..801c8f67ac9870216b990ecb48897fbfa7124961
--- /dev/null
+++ b/changes/bug30041
@@ -0,0 +1,5 @@
+  o Minor bugfixes (hardening):
+    - Verify in more places that we are not about to create a buffer
+      with more than INT_MAX bytes, to avoid possible OOB access in the event
+      of bugs.  Fixes bug 30041; bugfix on 0.2.0.16.  Found and fixed by
+      Tobias Stoeckmann.
diff --git a/src/or/buffers.c b/src/or/buffers.c
index 89382d1d8e565ed5bde8f2f28f52b1368185d978..b36e4ab5097db0076fc58e3bd7f3b9fb312aff00 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -1034,6 +1034,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
 static inline int
 buf_pos_inc(buf_pos_t *pos)
 {
+  tor_assert(pos->pos < INT_MAX - 1);
   ++pos->pos;
   if (pos->pos == (off_t)pos->chunk->datalen) {
     if (!pos->chunk->next)
@@ -1925,6 +1926,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
 {
   chunk_t *chunk;
   off_t offset = 0;
+  tor_assert(buf->datalen < INT_MAX);
   for (chunk = buf->head; chunk; chunk = chunk->next) {
     char *cp = memchr(chunk->data, ch, chunk->datalen);
     if (cp)
@@ -2044,6 +2046,7 @@ assert_buf_ok(buf_t *buf)
     for (ch = buf->head; ch; ch = ch->next) {
       total += ch->datalen;
       tor_assert(ch->datalen <= ch->memlen);
+      tor_assert(ch->datalen < INT_MAX);
       tor_assert(ch->data >= &ch->mem[0]);
       tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
       if (ch->data == &ch->mem[0]+ch->memlen) {
@@ -2060,4 +2063,3 @@ assert_buf_ok(buf_t *buf)
     tor_assert(buf->datalen == total);
   }
 }
-
diff --git a/src/or/connection.c b/src/or/connection.c
index 791fd95c272bdc50d9d1bf3c55bf117f1fbd81c9..4f636eeb8c0e4098e0ac7ff316c191bf0bbe85be 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -3581,6 +3581,10 @@ connection_read_to_buf(connection_t *conn, ssize_t *max_to_read,
     if (conn->linked_conn) {
       result = move_buf_to_buf(conn->inbuf, conn->linked_conn->outbuf,
                                &conn->linked_conn->outbuf_flushlen);
+      if (BUG(result<0)) {
+        log_warn(LD_BUG, "reading from linked connection buffer failed.");
+        return -1;
+      }
     } else {
       result = 0;
     }