diff --git a/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c b/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c
index 604644fbc2..5665677dca 100644
--- a/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c
+++ b/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c
@@ -373,19 +373,23 @@ uint8_t *sec_prot_lib_message_handle(uint8_t *ptk, uint16_t *kde_len, eapol_pdu_
     uint8_t *kde = ns_dyn_mem_temporary_alloc(key_data_len);
     *kde_len = key_data_len;
 
-    if (eapol_pdu->msg.key.key_information.encrypted_key_data) {
-        size_t output_len = eapol_pdu->msg.key.key_data_length;
-        if (nist_aes_key_wrap(0, &ptk[KEK_INDEX], 128, key_data, key_data_len, kde, &output_len) < 0 || output_len != (size_t) key_data_len - 8) {
-            tr_error("Decrypt failed");
-            ns_dyn_mem_free(kde);
-            return NULL;
+    if (kde) {
+        if (eapol_pdu->msg.key.key_information.encrypted_key_data) {
+            size_t output_len = eapol_pdu->msg.key.key_data_length;
+            if (nist_aes_key_wrap(0, &ptk[KEK_INDEX], 128, key_data, key_data_len, kde, &output_len) < 0 || output_len != (size_t) key_data_len - 8) {
+                tr_error("Decrypt failed");
+                ns_dyn_mem_free(kde);
+                return NULL;
+            }
+            *kde_len = output_len;
+        } else {
+            memcpy(kde, key_data, *kde_len);
         }
-        *kde_len = output_len;
-    } else {
-        memcpy(kde, key_data, *kde_len);
+
+        return kde;
     }
 
-    return kde;
+    return NULL;   
 }
 
 int8_t sec_prot_lib_gtk_read(uint8_t *kde, uint16_t kde_len, sec_prot_keys_t *sec_keys)