diff --git a/nanomq/pub_handler.c b/nanomq/pub_handler.c
index 7ef91f419..5a4021e21 100644
--- a/nanomq/pub_handler.c
+++ b/nanomq/pub_handler.c
@@ -1488,8 +1488,10 @@ decode_pub_message(nano_work *work, uint8_t proto)
 		// variable header
 		// topic length
 		pub_packet->var_header.publish.topic_name.body =
-		    (char *) copy_utf8_str(msg_body, &pos, (int *)&len);
-		if (len >= 0)
+		    (char *) copyn_utf8_str(msg_body, &pos, (int *) &len,
+		        nng_msg_remaining_len(msg) - 3);
+		if (len >= 0 &&
+		    pub_packet->var_header.publish.topic_name.body != NULL)
 			pub_packet->var_header.publish.topic_name.len = len;
 		else
 			return PROTOCOL_ERROR;
diff --git a/nanomq/sub_handler.c b/nanomq/sub_handler.c
index 47ea4745c..c674f87bf 100644
--- a/nanomq/sub_handler.c
+++ b/nanomq/sub_handler.c
@@ -81,7 +81,7 @@ decode_sub_msg(nano_work *work)
 
 		// TODO Decoding topic has potential buffer overflow
 		tn->topic.body =
-		    (char *)copy_utf8_str(payload_ptr, (uint32_t *)&bpos, &len_of_topic);
+		    (char *)copyn_utf8_str(payload_ptr, (uint32_t *)&bpos, &len_of_topic, remaining_len);
 		tn->topic.len = len_of_topic;
 		log_info("topic: [%s] len: [%d]", tn->topic.body, len_of_topic);
 		len_of_topic = 0;