diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index 46016dcb7f..d252930fd7 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -49,6 +49,7 @@
 /* Error codes in range 0x0020-0x0022 */
 #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
 #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
+#define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0024  /**< Invalid input data. */
 
 /* Error codes in range 0x0023-0x0025 */
 #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
diff --git a/library/aes.c b/library/aes.c
index da94b19439..3bb8515201 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -1082,6 +1082,9 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
     int c, i;
     size_t n = *nc_off;
 
+    if ( n > 0x0F )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
     while( length-- )
     {
         if( n == 0 ) {