diff --git a/changes/ticket31682 b/changes/ticket31682
new file mode 100644
index 0000000000..9777dec1f3
--- /dev/null
+++ b/changes/ticket31682
@@ -0,0 +1,3 @@
+  o Minor bugfixes (hidden service v3, coverity):
+    - Fix an implicit conversion from ssize_t to size_t discovered by Coverity.
+      Fixes bug 31682; bugfix on 0.4.2.1-alpha.
diff --git a/src/feature/hs/hs_cell.c b/src/feature/hs/hs_cell.c
index 547dda3e16..d691a1b007 100644
--- a/src/feature/hs/hs_cell.c
+++ b/src/feature/hs/hs_cell.c
@@ -494,12 +494,14 @@ build_establish_intro_dos_param(trn_cell_extension_dos_t *dos_ext,
 }
 
 /* Build the DoS defense cell extension and put it in the given extensions
- * object. This can't fail. */
-static void
+ * object. Return 0 on success, -1 on failure.  (Right now, failure is only
+ * possible if there is a bug.) */
+static int
 build_establish_intro_dos_extension(const hs_service_config_t *service_config,
                                     trn_cell_extension_t *extensions)
 {
-  ssize_t ret, dos_ext_encoded_len;
+  ssize_t ret;
+  size_t dos_ext_encoded_len;
   uint8_t *field_array;
   trn_cell_extension_field_t *field;
   trn_cell_extension_dos_t *dos_ext;
@@ -526,7 +528,11 @@ build_establish_intro_dos_extension(const hs_service_config_t *service_config,
                                   service_config->intro_dos_burst_per_sec);
 
   /* Set the field with the encoded DoS extension. */
-  dos_ext_encoded_len = trn_cell_extension_dos_encoded_len(dos_ext);
+  ret = trn_cell_extension_dos_encoded_len(dos_ext);
+  if (BUG(ret <= 0)) {
+    return -1;
+  }
+  dos_ext_encoded_len = ret;
   /* Set length field and the field array size length. */
   trn_cell_extension_field_set_field_len(field, dos_ext_encoded_len);
   trn_cell_extension_field_setlen_field(field, dos_ext_encoded_len);
@@ -534,7 +540,10 @@ build_establish_intro_dos_extension(const hs_service_config_t *service_config,
   field_array = trn_cell_extension_field_getarray_field(field);
   ret = trn_cell_extension_dos_encode(field_array,
                  trn_cell_extension_field_getlen_field(field), dos_ext);
-  tor_assert(ret == dos_ext_encoded_len);
+  if (BUG(ret <= 0)) {
+    return -1;
+  }
+  tor_assert(ret == (ssize_t) dos_ext_encoded_len);
 
   /* Finally, encode field into the cell extension. */
   trn_cell_extension_add_fields(extensions, field);
@@ -546,6 +555,8 @@ build_establish_intro_dos_extension(const hs_service_config_t *service_config,
 
   /* Cleanup. DoS extension has been encoded at this point. */
   trn_cell_extension_dos_free(dos_ext);
+
+  return 0;
 }
 
 /* ========== */
@@ -558,6 +569,7 @@ STATIC trn_cell_extension_t *
 build_establish_intro_extensions(const hs_service_config_t *service_config,
                                  const hs_service_intro_point_t *ip)
 {
+  int ret;
   trn_cell_extension_t *extensions;
 
   tor_assert(service_config);
@@ -571,9 +583,14 @@ build_establish_intro_extensions(const hs_service_config_t *service_config,
   if (service_config->has_dos_defense_enabled &&
       ip->support_intro2_dos_defense) {
     /* This function takes care to increment the number of extensions. */
-    build_establish_intro_dos_extension(service_config, extensions);
+    ret = build_establish_intro_dos_extension(service_config, extensions);
+    if (ret < 0) {
+      /* Return no extensions on error. */
+      goto end;
+    }
   }
 
+ end:
   return extensions;
 }
 
@@ -1059,4 +1076,3 @@ hs_cell_introduce1_data_clear(hs_cell_introduce1_data_t *data)
   /* The data object has no ownership of any members. */
   memwipe(data, 0, sizeof(hs_cell_introduce1_data_t));
 }
-