diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3b6258493..426119521 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3160,7 +3160,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
     {
         const int *md;
         const int *sig_hashes = ssl->conf->sig_hashes;
-        size_t sig_algs_len = 0;
+        size_t sig_algs_len = sizeof( uint16_t );
         size_t sig_algs_len_per_hash = 0;
         uint16_t *p;
 
@@ -3176,7 +3176,8 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
             if( mbedtls_ssl_hash_from_md_alg( *md ) == MBEDTLS_SSL_HASH_NONE )
                 continue;
             if( sig_algs_len >
-                ( MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN - sig_algs_len_per_hash ) )
+                ( MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN + sizeof( uint16_t )
+                  - sig_algs_len_per_hash ) )
             {
                 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
             }
@@ -3184,11 +3185,10 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
             sig_algs_len += sig_algs_len_per_hash;
         }
 
-        if( sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN )
+        if( sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN + sizeof( uint16_t ))
             return( MBEDTLS_ERR_SSL_BAD_CONFIG );
 
-        ssl->handshake->sig_algs = mbedtls_calloc( 1,
-                                            sig_algs_len + sizeof( uint16_t ) );
+        ssl->handshake->sig_algs = mbedtls_calloc( 1, sig_algs_len );
         if( ssl->handshake->sig_algs == NULL )
             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );