diff --git a/CHANGES b/CHANGES
index e2be1a8789..6813153752 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4354.	[bug]		Check that the received HMAC length matches the
+			expected length prior to check the contents on the
+			control channel.  This prevents a OOB read error.
+			[RT #42215]
+
 4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
 
 4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index 3f5ac84d50..e5a16ee15e 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -503,16 +503,29 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
 	 * Verify.
 	 */
 	if (algorithm == ISCCC_ALG_HMACMD5) {
+		isccc_region_t *region;
 		unsigned char *value;
 
-		value = (unsigned char *) isccc_sexpr_tostring(hmac);
+		region = isccc_sexpr_tobinary(hmac);
+		if ((region->rend - region->rstart) != HMD5_LENGTH)
+			return (ISCCC_R_BADAUTH);
+		value = region->rstart;
 		if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH))
 			return (ISCCC_R_BADAUTH);
 	} else {
+		isccc_region_t *region;
 		unsigned char *value;
 		isc_uint32_t valalg;
 
-		value = (unsigned char *) isccc_sexpr_tostring(hmac);
+		region = isccc_sexpr_tobinary(hmac);
+
+		/*
+		 * Note: with non-MD5 algorithms, there's an extra octet
+		 * to identify which algorithm is in use.
+		 */
+		if ((region->rend - region->rstart) != HSHA_LENGTH + 1)
+			return (ISCCC_R_BADAUTH);
+		value = region->rstart;
 		GET8(valalg, value);
 		if ((valalg != algorithm) ||
 		    !isc_safe_memequal(value, digestb64, HSHA_LENGTH))