diff --git a/ChangeLog b/ChangeLog
index 1b01eb682..a2db8594b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,8 @@ Bugfix
    * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
      dates on leap years with 100 and 400 intervals are handled correctly. Found
      by Nicholas Wilson. #694
+   * Add a check for invalid private parameters in ecdsa_sign.
+     Reported by Yolan Romailler.
 
 = mbed TLS 2.1.9 branch released 2017-08-10
 
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 4156f3c3c..8892317bf 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -81,6 +81,10 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
     if( grp->N.p == NULL )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
+    /* Make sure d is in range 1..n-1 */
+    if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
     mbedtls_ecp_point_init( &R );
     mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );