diff --git a/libfreerdp/core/capabilities.c b/libfreerdp/core/capabilities.c
index d6727378c..be0c2d5a6 100644
--- a/libfreerdp/core/capabilities.c
+++ b/libfreerdp/core/capabilities.c
@@ -3862,7 +3862,7 @@ BOOL rdp_recv_get_active_header(rdpRdp* rdp, wStream* s, UINT16* pChannelId, UIN
 
 		if (securityFlags & SEC_ENCRYPT)
 		{
-			if (!rdp_decrypt(rdp, s, *length, securityFlags))
+			if (!rdp_decrypt(rdp, s, length, securityFlags))
 			{
 				WLog_ERR(TAG, "rdp_decrypt failed");
 				return FALSE;
diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c
index 6c6ae2602..7a66e8e12 100644
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -991,7 +991,7 @@ BOOL rdp_client_connect_auto_detect(rdpRdp* rdp, wStream* s)
 
 				if (securityFlags & SEC_ENCRYPT)
 				{
-					if (!rdp_decrypt(rdp, s, length, securityFlags))
+					if (!rdp_decrypt(rdp, s, &length, securityFlags))
 					{
 						WLog_ERR(TAG, "rdp_decrypt failed");
 						return FALSE;
diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c
index fbe5071e8..843693e01 100644
--- a/libfreerdp/core/info.c
+++ b/libfreerdp/core/info.c
@@ -991,7 +991,7 @@ BOOL rdp_recv_client_info(rdpRdp* rdp, wStream* s)
 
 		if (securityFlags & SEC_ENCRYPT)
 		{
-			if (!rdp_decrypt(rdp, s, length, securityFlags))
+			if (!rdp_decrypt(rdp, s, &length, securityFlags))
 			{
 				WLog_ERR(TAG, "rdp_decrypt failed");
 				return FALSE;
diff --git a/libfreerdp/core/license.c b/libfreerdp/core/license.c
index 08081c0dd..18bcb9fa4 100644
--- a/libfreerdp/core/license.c
+++ b/libfreerdp/core/license.c
@@ -467,7 +467,7 @@ int license_recv(rdpLicense* license, wStream* s)
 
 	if (securityFlags & SEC_ENCRYPT)
 	{
-		if (!rdp_decrypt(license->rdp, s, length, securityFlags))
+		if (!rdp_decrypt(license->rdp, s, &length, securityFlags))
 		{
 			WLog_ERR(TAG, "rdp_decrypt failed");
 			return -1;
diff --git a/libfreerdp/core/peer.c b/libfreerdp/core/peer.c
index 63bb52fb7..f160c3c56 100644
--- a/libfreerdp/core/peer.c
+++ b/libfreerdp/core/peer.c
@@ -371,7 +371,7 @@ static int peer_recv_tpkt_pdu(freerdp_peer* client, wStream* s)
 
 		if (securityFlags & SEC_ENCRYPT)
 		{
-			if (!rdp_decrypt(rdp, s, length, securityFlags))
+			if (!rdp_decrypt(rdp, s, &length, securityFlags))
 			{
 				WLog_ERR(TAG, "rdp_decrypt failed");
 				return -1;
@@ -446,7 +446,7 @@ static int peer_recv_fastpath_pdu(freerdp_peer* client, wStream* s)
 
 	if (fastpath->encryptionFlags & FASTPATH_OUTPUT_ENCRYPTED)
 	{
-		if (!rdp_decrypt(rdp, s, length,
+		if (!rdp_decrypt(rdp, s, &length,
 		                 (fastpath->encryptionFlags & FASTPATH_OUTPUT_SECURE_CHECKSUM)
 		                     ? SEC_SECURE_CHECKSUM
 		                     : 0))
diff --git a/libfreerdp/core/rdp.c b/libfreerdp/core/rdp.c
index 2830e1ed5..144a34415 100644
--- a/libfreerdp/core/rdp.c
+++ b/libfreerdp/core/rdp.c
@@ -1141,15 +1141,17 @@ void rdp_read_flow_control_pdu(wStream* s, UINT16* type)
  * @param length int
  */
 
-BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, INT32 length, UINT16 securityFlags)
+BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, UINT16* pLength, UINT16 securityFlags)
 {
 	BYTE cmac[8];
 	BYTE wmac[8];
 	BOOL status;
+	INT32 length;
 
-	if (!rdp || !s || (length < 0))
+	if (!rdp || !s || !pLength)
 		return FALSE;
 
+	length = *pLength;
 	if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
 	{
 		UINT16 len;
@@ -1184,6 +1186,7 @@ BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, INT32 length, UINT16 securityFlags)
 		}
 
 		Stream_SetLength(s, Stream_Length(s) - pad);
+		*pLength = padLength;
 		return TRUE;
 	}
 
@@ -1220,6 +1223,7 @@ BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, INT32 length, UINT16 securityFlags)
 		// return FALSE;
 	}
 
+	*pLength = length;
 	return TRUE;
 }
 
@@ -1290,7 +1294,7 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
 
 		if (securityFlags & (SEC_ENCRYPT | SEC_REDIRECTION_PKT))
 		{
-			if (!rdp_decrypt(rdp, s, length, securityFlags))
+			if (!rdp_decrypt(rdp, s, &length, securityFlags))
 			{
 				WLog_ERR(TAG, "rdp_decrypt failed");
 				return -1;
@@ -1435,7 +1439,7 @@ static int rdp_recv_fastpath_pdu(rdpRdp* rdp, wStream* s)
 		UINT16 flags =
 		    (fastpath->encryptionFlags & FASTPATH_OUTPUT_SECURE_CHECKSUM) ? SEC_SECURE_CHECKSUM : 0;
 
-		if (!rdp_decrypt(rdp, s, length, flags))
+		if (!rdp_decrypt(rdp, s, &length, flags))
 		{
 			WLog_ERR(TAG, "rdp_recv_fastpath_pdu: rdp_decrypt() fail");
 			return -1;
diff --git a/libfreerdp/core/rdp.h b/libfreerdp/core/rdp.h
index f28d45ea5..8e12a4441 100644
--- a/libfreerdp/core/rdp.h
+++ b/libfreerdp/core/rdp.h
@@ -233,7 +233,7 @@ extern const char* DATA_PDU_TYPE_STRINGS[80];
 	} while (0)
 #endif
 
-BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, INT32 length, UINT16 securityFlags);
+BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, UINT16* pLength, UINT16 securityFlags);
 
 BOOL rdp_set_error_info(rdpRdp* rdp, UINT32 errorInfo);
 BOOL rdp_send_error_info(rdpRdp* rdp);