diff --git a/crypto/secio/rw.go b/crypto/secio/rw.go
index 5172bf0e8..959fd634a 100644
--- a/crypto/secio/rw.go
+++ b/crypto/secio/rw.go
@@ -15,6 +15,10 @@ import (
 	context "github.com/ipfs/go-ipfs/Godeps/_workspace/src/golang.org/x/net/context"
 )
 
+const MaxMsgSize = 8 * 1024 * 1024
+
+var ErrMaxMessageSize = errors.New("attempted to read message larger than max size")
+
 // ErrMACInvalid signals that a MAC verification failed
 var ErrMACInvalid = errors.New("MAC verification failed")
 
@@ -130,6 +134,10 @@ func (r *etmReader) Read(buf []byte) (int, error) {
 		return 0, err
 	}
 
+	if fullLen > MaxMsgSize {
+		return 0, ErrMaxMessageSize
+	}
+
 	buf2 := buf
 	changed := false
 	// if not enough space, allocate a new buffer.