diff --git a/src/quic_tx.c b/src/quic_tx.c
index d283ec9be..82b3f5fa0 100644
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -1908,7 +1908,7 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
                            const struct quic_version *ver, struct list *frms)
 {
 	unsigned char *beg, *payload;
-	size_t len, len_sz, len_frms, padding_len;
+	size_t len, len_sz = 0, len_frms, padding_len;
 	struct quic_frame frm;
 	struct quic_frame ack_frm;
 	struct quic_frame cc_frm;
@@ -1963,6 +1963,17 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
 	}
 
 	head_len = pos - beg;
+
+	if (pkt->type != QUIC_PACKET_TYPE_SHORT) {
+		/* Reserve enough bytes for packet length. Real value will be
+		 * recalculated later after payload length is determined.
+		 */
+		len_sz = quic_int_getsize(end - pos);
+		if (end - pos <= len_sz)
+			goto no_room;
+		pos += len_sz;
+	}
+
 	/* Build an ACK frame if required. */
 	ack_frm_len = 0;
 	/* Do not ack and probe at the same time. */
@@ -2050,11 +2061,15 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
 	}
 	add_ping_frm = 0;
 	padding_len = 0;
-	len_sz = quic_int_getsize(len);
 	/* Add this packet size to <dglen> */
 	dglen += head_len + len;
-	if (pkt->type != QUIC_PACKET_TYPE_SHORT)
+
+	if (pkt->type != QUIC_PACKET_TYPE_SHORT) {
+		/* Remove reserved space for packet length. */
+		pos -= len_sz;
+		len_sz = quic_int_getsize(len);
 		dglen += len_sz;
+	}
 
 	if (padding && dglen < QUIC_INITIAL_PACKET_MINLEN) {
 		padding_len = QUIC_INITIAL_PACKET_MINLEN - dglen;