diff --git a/nts_ntp_auth.c b/nts_ntp_auth.c
index 8896d8e..2ff6d0d 100644
--- a/nts_ntp_auth.c
+++ b/nts_ntp_auth.c
@@ -128,6 +128,9 @@ NNA_DecryptAuthEF(NTP_Packet *packet, NTP_PacketInfo *info, SIV_Instance siv, in
   void *ef_body;
   struct AuthHeader *header;
 
+  if (buffer_length < 0)
+    return 0;
+
   if (!NEF_ParseField(packet, info->length, ef_start,
                       NULL, &ef_type, &ef_body, &ef_body_length))
     return 0;
diff --git a/test/unit/nts_ntp_auth.c b/test/unit/nts_ntp_auth.c
index dc5143d..307b93b 100644
--- a/test/unit/nts_ntp_auth.c
+++ b/test/unit/nts_ntp_auth.c
@@ -82,6 +82,10 @@ test_unit(void)
     TEST_CHECK(r);
     TEST_CHECK(info.length - packet_length >= min_ef_length);
 
+    r = NNA_DecryptAuthEF(&packet, &info, siv, packet_length, plaintext2,
+                          -1, &plaintext2_length);
+    TEST_CHECK(!r);
+
     r = NNA_DecryptAuthEF(&packet, &info, siv, packet_length, plaintext2,
                           sizeof (plaintext2), &plaintext2_length);
     TEST_CHECK(r);