--- haproxy-2.8.11+git0.01c1056a4/src/h3.c.orig	2026-04-20 14:40:05.887164526 +0200
+++ haproxy-2.8.11+git0.01c1056a4/src/h3.c	2026-04-20 14:41:46.536033110 +0200
@@ -1220,6 +1220,13 @@ static ssize_t h3_decode_qcs(struct qcs
 		struct htx *htx;
 
 		TRACE_PROTO("received FIN without data", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
+
+		/* FIN received, ensure body length is conform to any content-length header. */
+		if ((h3s->flags & H3_SF_HAVE_CLEN) && h3_check_body_size(qcs, 1)) {
+			qcc_abort_stream_read(qcs);
+			qcc_reset_stream(qcs, h3s->err);
+			goto done;
+		}
 		if (!(appbuf = qcs_get_buf(qcs, &qcs->rx.app_buf))) {
 			TRACE_ERROR("data buffer alloc failure", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
 			h3c->err = H3_INTERNAL_ERROR;