From 7fd5927081760e931573b71f3b44d40f9e9b7906 Mon Sep 17 00:00:00 2001
From: Daniel Liu <139250065@qq.com>
Date: Thu, 29 Jan 2026 13:55:27 +0800
Subject: [PATCH] accounts/scwallet: fix panic in decryptAPDU #33606 (#1982)

Validate ciphertext length in decryptAPDU, preventing runtime panics on
invalid input.

Co-authored-by: DeFi Junkie <deffie.jnkiee@gmail.com>
---
 accounts/scwallet/securechannel.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/accounts/scwallet/securechannel.go b/accounts/scwallet/securechannel.go
index a1bb7ac3d0..e016f4a7e0 100644
--- a/accounts/scwallet/securechannel.go
+++ b/accounts/scwallet/securechannel.go
@@ -300,6 +300,10 @@ func (s *SecureChannelSession) decryptAPDU(data []byte) ([]byte, error) {
 		return nil, err
 	}
 
+	if len(data) == 0 || len(data)%aes.BlockSize != 0 {
+		return nil, fmt.Errorf("invalid ciphertext length: %d", len(data))
+	}
+
 	ret := make([]byte, len(data))
 
 	crypter := cipher.NewCBCDecrypter(a, s.iv)