diff --git a/protocols/bgp/packet/mp_reach_nlri.go b/protocols/bgp/packet/mp_reach_nlri.go
index e6ec075eab9fb426cd405affb2692f0b0cc23fb3..497bc7a2483a29fafdfb7c2b3e2661fb4ba2e8d0 100644
--- a/protocols/bgp/packet/mp_reach_nlri.go
+++ b/protocols/bgp/packet/mp_reach_nlri.go
@@ -58,12 +58,23 @@ func deserializeMultiProtocolReachNLRI(b []byte) (MultiProtocolReachNLRI, error)
 
 	variable = variable[1+nextHopLength:]
 
-	idx := uint8(0)
 	n.Prefixes = make([]bnet.Prefix, 0)
+
+	if len(variable) == 0 {
+		return n, nil
+	}
+
+	idx := uint8(0)
 	for idx < uint8(len(variable)) {
 		l := numberOfBytesForPrefixLength(variable[idx])
+		start := idx + 1
+		end := idx + 1 + l
+		r := uint8(len(variable)) - idx - 1
+		if r < l {
+			return MultiProtocolReachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", l, r)
+		}
 
-		pfx, err := deserializePrefix(variable[idx+1:idx+1+l], variable[idx], n.AFI)
+		pfx, err := deserializePrefix(variable[start:end], variable[idx], n.AFI)
 		if err != nil {
 			return MultiProtocolReachNLRI{}, err
 		}
diff --git a/protocols/bgp/packet/mp_unreach_nlri.go b/protocols/bgp/packet/mp_unreach_nlri.go
index 35f3cadf2c46ec36da8c3c53f6e781e4c8625595..7b42c4ced4e88dadb58ff8b2bcab249e8b4c0576 100644
--- a/protocols/bgp/packet/mp_unreach_nlri.go
+++ b/protocols/bgp/packet/mp_unreach_nlri.go
@@ -2,6 +2,7 @@ package packet
 
 import (
 	"bytes"
+	"fmt"
 
 	bnet "github.com/bio-routing/bio-rd/net"
 	"github.com/taktv6/tflow2/convert"
@@ -41,12 +42,21 @@ func deserializeMultiProtocolUnreachNLRI(b []byte) (MultiProtocolUnreachNLRI, er
 		return MultiProtocolUnreachNLRI{}, err
 	}
 
+	if len(prefix) == 0 {
+		return n, nil
+	}
+
 	idx := uint8(0)
-	n.Prefixes = make([]bnet.Prefix, 0)
 	for idx < uint8(len(prefix)) {
 		l := numberOfBytesForPrefixLength(prefix[idx])
+		start := idx + 1
+		end := idx + 1 + l
+		r := uint8(len(prefix)) - idx - 1
+		if r < l {
+			return MultiProtocolUnreachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", l, r)
+		}
 
-		pfx, err := deserializePrefix(prefix[idx+1:idx+1+l], prefix[idx], n.AFI)
+		pfx, err := deserializePrefix(prefix[start:end], prefix[idx], n.AFI)
 		if err != nil {
 			return MultiProtocolUnreachNLRI{}, err
 		}