diff --git a/src/lib/radius_decode.c b/src/lib/radius_decode.c
index 321c2a9344b2..09f8f19e0fac 100644
--- a/src/lib/radius_decode.c
+++ b/src/lib/radius_decode.c
@@ -970,6 +970,13 @@ ssize_t fr_radius_decode_pair_value(TALLOC_CTX *ctx, vp_cursor_t *cursor, fr_dic
 			break;
 
 		default:
+			/*
+			 *	Chop the attribute to its maximum length.
+			 */
+			if ((parent->type == PW_TYPE_OCTETS) &&
+			    (parent->flags.length && (datalen > parent->flags.length))) {
+				    datalen = parent->flags.length;
+			    }
 			break;
 		} /* switch over encryption flags */
 	}
diff --git a/src/lib/radius_encode.c b/src/lib/radius_encode.c
index b63a501d3930..54d65acfa3a6 100644
--- a/src/lib/radius_encode.c
+++ b/src/lib/radius_encode.c
@@ -650,8 +650,17 @@ static ssize_t encode_value(uint8_t *out, size_t outlen,
 	len = vp->vp_length;
 
 	switch (da->type) {
-	case PW_TYPE_STRING:
 	case PW_TYPE_OCTETS:
+		/*
+		 *	If asked to encode more data than allowed, we
+		 *	encode only the allowed data.
+		 */
+		if (da->flags.length && (len > da->flags.length)) {
+			len = da->flags.length;
+		}
+		/* FALL-THROUGH */
+
+	case PW_TYPE_STRING:
 		data = vp->data.ptr;
 		if (!data) {
 			fr_strerror_printf("ERROR: Cannot encode NULL data");