diff --git a/ChangeLog b/ChangeLog
index d58df3a37..1d3277cc7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,8 @@ Bugfix
    * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
      Karger)
    * cert_write app should use subject of issuer certificate as issuer of cert
+   * Fix false reject in padding check in ssl_decrypt_buf() for CBC
+     ciphersuites, for full SSL frames of data.
 
 = PolarSSL 1.3.6 released on 2014-04-11
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 116bc5cf4..271bfe605 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1633,13 +1633,15 @@ static int ssl_decrypt_buf( ssl_context *ssl )
              * Padding is guaranteed to be incorrect if:
              *   1. padlen >= ssl->in_msglen
              *
-             *   2. padding_idx > SSL_MAX_CONTENT_LEN
+             *   2. padding_idx >= SSL_MAX_CONTENT_LEN +
+             *                     ssl->transform_in->maclen
              *
              * In both cases we reset padding_idx to a safe value (0) to
              * prevent out-of-buffer reads.
              */
             correct &= ( ssl->in_msglen >= padlen + 1 );
-            correct &= ( padding_idx <= SSL_MAX_CONTENT_LEN );
+            correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
+                                       ssl->transform_in->maclen );
 
             padding_idx *= correct;