diff --git a/CHANGES b/CHANGES
index bc76b1cf6d..1cfe48002f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 6230.	[bug]		Prevent an unnecessary query restart if a synthesized
 			CNAME target points to the CNAME owner. [GL #3835]
 
+6227.	[bug]		Check the statistics-channel HTTP Content-length
+			to prevent negative or overflowing values from
+			causing a crash. [GL #4125]
+
 6224.	[bug]		Check the If-Modified-Since value length to prevent
 			out-of-bounds write. [GL #4124]
 
diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh
index 3318f45b0c..25122e1eca 100644
--- a/bin/tests/system/statschannel/tests.sh
+++ b/bin/tests/system/statschannel/tests.sh
@@ -72,9 +72,66 @@ loadkeys_on() {
     wait_for_log 20 "next key event" ns${nsidx}/named.run
 }
 
+set -x
+
+# verify that the http server dropped the connection without replying
+check_http_dropped() {
+    if [ -x "${NC}" ] ; then
+	"${NC}" 10.53.0.3 "${EXTRAPORT1}" > nc.out$n || ret=1
+	if test -s nc.out$n; then
+		ret=1
+	fi
+    else
+	echo_i "skipping test as nc not found"
+    fi
+}
+
 status=0
 n=1
 
+echo_i "check content-length parse error ($n)"
+ret=0
+check_http_dropped <<EOF
+POST /xml/v3/status HTTP/1.0
+Content-Length: nah
+
+EOF
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+n=$((n + 1))
+
+echo_i "check negative content-length ($n)"
+ret=0
+check_http_dropped <<EOF
+POST /xml/v3/status HTTP/1.0
+Content-Length: -50
+
+EOF
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+n=$((n + 1))
+
+echo_i "check content-length 32-bit overflow ($n)"
+check_http_dropped <<EOF
+POST /xml/v3/status HTTP/1.0
+Content-Length: 4294967239
+
+EOF
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+n=$((n + 1))
+
+echo_i "check content-length 64-bit overflow ($n)"
+check_http_dropped <<EOF
+POST /xml/v3/status HTTP/1.0
+Content-Length: 18446744073709551549
+
+EOF
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+n=$((n + 1))
+
 echo_i "Prepare for if-modified-since test ($n)"
 ret=0
 i=0
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 79dcce4a0b..c09e915ff5 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -38,15 +38,19 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- None.
-
 - The value of If-Modified-Since header in statistics channel was not checked
   for length leading to possible buffer overflow by an authorized user.  We
   would like to emphasize that statistics channel must be properly setup to
   allow access only from authorized users of the system. :gl:`#4124`
 
-  This was reported independently by Eric Sesterhenn of X41 D-SEC and Cameron
-  Whitehead.
+  This issue was reported independently by Eric Sesterhenn of X41 D-SEC and
+  Cameron Whitehead.
+
+- The value of Content-Length header in statistics channel was not bound checked
+  and negative or large enough value could lead to overflow and assertion failure.
+  :gl:`#4125`
+
+  This issue was reported by Eric Sesterhenn of X41 D-SEC.
 
 Known Issues
 ~~~~~~~~~~~~
diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
index d370112aa4..b15cc45448 100644
--- a/lib/isc/httpd.c
+++ b/lib/isc/httpd.c
@@ -427,7 +427,7 @@ process_request(isc_httpd_t *httpd, size_t last_len) {
 	 */
 	httpd->flags = 0;
 
-	ssize_t content_len = 0;
+	size_t content_len = 0;
 	bool keep_alive = false;
 	bool host_header = false;
 
@@ -438,12 +438,23 @@ process_request(isc_httpd_t *httpd, size_t last_len) {
 
 		if (name_match(header, "Content-Length")) {
 			char *endptr;
-			content_len = (size_t)strtoul(header->value, &endptr,
-						      10);
-			/* Consistency check, if we consumed all numbers */
+			long val = strtol(header->value, &endptr, 10);
+
+			errno = 0;
+
+			/* ensure we consumed all digits */
 			if ((header->value + header->value_len) != endptr) {
+				return (ISC_R_BADNUMBER);
+			}
+			/* ensure there was no minus sign */
+			if (val < 0) {
+				return (ISC_R_BADNUMBER);
+			}
+			/* ensure it did not overflow */
+			if (errno != 0) {
 				return (ISC_R_RANGE);
 			}
+			content_len = val;
 		} else if (name_match(header, "Connection")) {
 			/* multiple fields in a connection header are allowed */
 			if (value_match(header, "close")) {
@@ -479,17 +490,18 @@ process_request(isc_httpd_t *httpd, size_t last_len) {
 		return (ISC_R_BADNUMBER);
 	}
 
-	if (content_len == (ssize_t)ULONG_MAX) {
-		/* Invalid number in the header value. */
-		return (ISC_R_BADNUMBER);
+	if (content_len >= HTTP_MAX_REQUEST_LEN) {
+		return (ISC_R_RANGE);
 	}
-	if (httpd->consume + content_len > httpd->recvlen) {
+
+	size_t consume = httpd->consume + content_len;
+	if (consume > httpd->recvlen) {
 		/* The request data isn't complete yet. */
 		return (ISC_R_NOMORE);
 	}
 
 	/* Consume the request's data, which we do not use. */
-	httpd->consume += content_len;
+	httpd->consume = consume;
 
 	switch (httpd->minor_version) {
 	case 0: