diff --git a/options.h b/options.h
index 8b49f3062a89bb3bfc17b747368204572d7e46e7..d309ab4bd6b9a48113abeab9c65b2fba959dae69 100644
--- a/options.h
+++ b/options.h
@@ -133,19 +133,15 @@ much traffic. */
 /* #define DSS_PROTOK */
 
 /* Control the memory/performance/compression tradeoff for zlib.
- * Set windowBits=8, memLevel=1 for least memory usage, see your system's
+ * Set windowBits=8 for least memory usage, see your system's
  * zlib.h for full details.
- * Default settings (windowBits=15, memLevel=8) will use 
- * 256kB for compression + 32kB for decompression.
- * windowBits=8, memLevel=1 will use 10kB compression + 32kB decompression.
- * Note that windowBits is only set for deflate() - inflate() always uses the
- * default of 15 so as to interoperate with other clients. */
+ * Default settings (windowBits=15) will use 256kB for compression
+ * windowBits=8 will use 129kB for compression.
+ * Both modes will use ~35kB for decompression (using windowBits=15 for
+ * interoperability) */
 #ifndef DROPBEAR_ZLIB_WINDOW_BITS
 #define DROPBEAR_ZLIB_WINDOW_BITS 15 
 #endif
-#ifndef DROPBEAR_ZLIB_MEM_LEVEL
-#define DROPBEAR_ZLIB_MEM_LEVEL 8
-#endif
 
 /* Whether to do reverse DNS lookups. */
 #define DO_HOST_LOOKUP
diff --git a/packet.c b/packet.c
index d4f660a1bdb312de205c8fe25f682e38e7ec4989..80eb1775b6aa93570bc909db5869c8809f1d48b9 100644
--- a/packet.c
+++ b/packet.c
@@ -41,7 +41,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional *
 		unsigned char *output_mac);
 static int checkmac();
 
-#define ZLIB_COMPRESS_INCR 20 /* this is 12 bytes + 0.1% of 8000 bytes */
+#define ZLIB_COMPRESS_INCR 100
 #define ZLIB_DECOMPRESS_INCR 100
 #ifndef DISABLE_ZLIB
 static buffer* buf_decompress(buffer* buf, unsigned int len);
@@ -452,14 +452,15 @@ void encrypt_packet() {
 	blocksize = ses.keys->trans.algo_crypt->blocksize;
 	mac_size = ses.keys->trans.algo_mac->hashsize;
 
-	/* Encrypted packet len is payload+5, then worst case is if we are 3 away
-	 * from a blocksize multiple. In which case we need to pad to the
-	 * multiple, then add another blocksize (or MIN_PACKET_LEN) */
-	encrypt_buf_size = (ses.writepayload->len+4+1) + MIN_PACKET_LEN + 3
+	/* Encrypted packet len is payload+5. We need to then make sure
+	 * there is enough space for padding or MIN_PACKET_LEN. 
+	 * Add extra 3 since we need at least 4 bytes of padding */
+	encrypt_buf_size = (ses.writepayload->len+4+1) 
+		+ MAX(MIN_PACKET_LEN, blocksize) + 3
 	/* add space for the MAC at the end */
 				+ mac_size
 #ifndef DISABLE_ZLIB
-	/* zlib compression could lengthen the payload in some cases */
+	/* some extra in case 'compression' makes it larger */
 				+ ZLIB_COMPRESS_INCR
 #endif
 	/* and an extra cleartext (stripped before transmission) byte for the
@@ -473,7 +474,14 @@ void encrypt_packet() {
 #ifndef DISABLE_ZLIB
 	/* compression */
 	if (is_compress_trans()) {
+		int compress_delta;
 		buf_compress(writebuf, ses.writepayload, ses.writepayload->len);
+		compress_delta = (writebuf->len - PACKET_PAYLOAD_OFF) - ses.writepayload->len;
+
+		/* Handle the case where 'compress' increased the size. */
+		if (compress_delta > ZLIB_COMPRESS_INCR) {
+			buf_resize(writebuf, writebuf->size + compress_delta);
+		}
 	} else
 #endif
 	{
diff --git a/sysoptions.h b/sysoptions.h
index 216ab647b66c146a3cc2d736effc559479773b2b..ce2c0456b3673595467c36ce9d022dbf8df899d6 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -178,6 +178,10 @@
 #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
 #endif
 
+/* Changing this is inadvisable, it appears to have problems
+ * with flushing compressed data */
+#define DROPBEAR_ZLIB_MEM_LEVEL 8
+
 #if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
 #endif