diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index b6add1b5c28..6efb87801cb 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -1257,6 +1257,21 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 			status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
 			goto out;
 		}
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG
+		/*
+		 * Note that gnutls before 3.5.2 had a bug and returned
+		 * *ptext_len = ctext_len, instead of
+		 * *ptext_len = ctext_len - tag_size
+		 */
+		if (ptext_size != ctext_size) {
+			TALLOC_FREE(ptext);
+			TALLOC_FREE(ctext);
+			rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
+			status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+			goto out;
+		}
+		ptext_size -= tag_size;
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG */
 		if (ptext_size != m_total) {
 			TALLOC_FREE(ptext);
 			TALLOC_FREE(ctext);
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index 62fe3d5ddda..c6eb9df7b64 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -44,6 +44,9 @@ if (gnutls_version > parse_version('3.6.10')):
         if (gnutls_version > parse_version('3.6.14')):
             conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1)
 
+if (gnutls_version < parse_version('3.5.2')):
+    conf.DEFINE('HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG', 1)
+
 # Check if gnutls has fips mode support
 # gnutls_fips140_mode_enabled() is available since 3.3.0
 fragment = '''