diff --git a/bfe_http2/server.go b/bfe_http2/server.go
index 2286b09fb..9ccc0945c 100644
--- a/bfe_http2/server.go
+++ b/bfe_http2/server.go
@@ -1618,7 +1618,10 @@ func (sc *serverConn) processData(f *DataFrame) error {
 	if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes {
 		err := fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes)
 		st.body.CloseWithError(err)
-		return StreamError{id, ErrCodeStreamClosed, err.Error()}
+		// RFC 7540, sec 8.1.2.6: A request or response is also malformed if the
+		// value of a content-length header field does not equal the sum of the
+		// DATA frame payload lengths that form the body.
+		return StreamError{id, ErrCodeProtocol, err.Error()}
 	}
 	if f.Length > 0 {
 		// Check whether the client has flow control quota.
diff --git a/bfe_http2/server_test.go b/bfe_http2/server_test.go
index 7be6318d9..966d3efb7 100644
--- a/bfe_http2/server_test.go
+++ b/bfe_http2/server_test.go
@@ -3005,3 +3005,22 @@ func TestNoRstPostAfterGOAWAY(t *testing.T) {
 	}
 
 }
+
+func TestServer_Rejects_TooSmall(t *testing.T) {
+	testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error {
+		return nil
+	}, func(st *serverTester) {
+		st.writeHeaders(HeadersFrameParam{
+			StreamID: 1, // clients send odd numbers
+			BlockFragment: st.encodeHeader(
+				":method", "POST",
+				"content-length", "4",
+			),
+			EndStream:  false, // to say DATA frames are coming
+			EndHeaders: true,
+		})
+		st.writeData(1, true, []byte("12345"))
+
+		st.wantRSTStream(1, ErrCodeProtocol)
+	})
+}