From 9be06ee224e892092d3921e1b457370352ffee9b Mon Sep 17 00:00:00 2001
From: DeFi Junkie <deffie.jnkiee@gmail.com>
Date: Tue, 20 Jan 2026 14:04:23 +0300
Subject: [PATCH] accounts/scwallet: fix panic in decryptAPDU (#33606)

Validate ciphertext length in decryptAPDU, preventing runtime panics on
invalid input.
---
 accounts/scwallet/securechannel.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/accounts/scwallet/securechannel.go b/accounts/scwallet/securechannel.go
index 9116a9e3f8..187d7b9f24 100644
--- a/accounts/scwallet/securechannel.go
+++ b/accounts/scwallet/securechannel.go
@@ -300,6 +300,10 @@ func (s *SecureChannelSession) decryptAPDU(data []byte) ([]byte, error) {
 		return nil, err
 	}
 
+	if len(data) == 0 || len(data)%aes.BlockSize != 0 {
+		return nil, fmt.Errorf("invalid ciphertext length: %d", len(data))
+	}
+
 	ret := make([]byte, len(data))
 
 	crypter := cipher.NewCBCDecrypter(a, s.iv)