diff --git a/tests/api.c b/tests/api.c
index 0c7d41456..37a8d8d20 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -21038,12 +21038,14 @@ static int test_wc_ecc_signVerify_hash (void)
     #endif
     word32      siglen = ECC_BUFSIZE;
     byte        sig[ECC_BUFSIZE];
+    byte        adjustedSig[ECC_BUFSIZE+1];
     byte        digest[] = TEST_STRING;
     word32      digestlen = (word32)TEST_STRING_SZ;
 
     /* Init stack var */
     XMEMSET(sig, 0, siglen);
     XMEMSET(&key, 0, sizeof(key));
+    XMEMSET(adjustedSig, 0, ECC_BUFSIZE+1);
 
     /* Init structs. */
     ret = wc_InitRng(&rng);
@@ -21095,6 +21097,20 @@ static int test_wc_ecc_signVerify_hash (void)
         if (verify != 1 && ret == 0) {
             ret = WOLFSSL_FATAL_ERROR;
         }
+
+        /* test check on length of signature passed in */
+        XMEMCPY(adjustedSig, sig, siglen);
+        adjustedSig[1] = adjustedSig[1] + 1; /* add 1 to length for extra byte*/
+#ifndef NO_STRICT_ECDSA_LEN
+        AssertIntNE(wc_ecc_verify_hash(adjustedSig, siglen+1, digest, digestlen,
+                    &verify, &key), 0);
+#else
+        /* if NO_STRICT_ECDSA_LEN is set then extra bytes after the signature
+         * is allowed */
+        AssertIntEQ(wc_ecc_verify_hash(adjustedSig, siglen+1, digest, digestlen,
+                    &verify, &key), 0);
+#endif
+
         /* Test bad args. */
         if (ret == 0) {
             verifyH = wc_ecc_verify_hash(NULL, siglen, digest, digestlen,
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 9df7aaa3d..dad5d5c6b 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -15964,6 +15964,14 @@ int DecodeECC_DSA_Sig_Bin(const byte* sig, word32 sigLen, byte* r, word32* rLen,
     if (s)
         XMEMCPY(s, (byte*)sig + idx, len);
 
+#ifndef NO_STRICT_ECDSA_LEN
+    /* sanity check that the index has been advanced all the way to the end of
+     * the buffer */
+    if (idx + len != sigLen) {
+        ret = ASN_ECC_KEY_E;
+    }
+#endif
+
     return ret;
 }
 #endif
@@ -15999,6 +16007,16 @@ int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
         return ASN_ECC_KEY_E;
     }
 
+#ifndef NO_STRICT_ECDSA_LEN
+    /* sanity check that the index has been advanced all the way to the end of
+     * the buffer */
+    if (idx != sigLen) {
+        mp_clear(r);
+        mp_clear(s);
+        return ASN_ECC_KEY_E;
+    }
+#endif
+
     return 0;
 }
 #endif