diff -up ./lib/softoken/kbkdf.c.kdf_update ./lib/softoken/kbkdf.c
--- ./lib/softoken/kbkdf.c.kdf_update	2019-11-27 16:48:01.864135431 -0800
+++ ./lib/softoken/kbkdf.c	2019-11-27 16:48:51.779661708 -0800
@@ -160,6 +160,9 @@ static CK_RV kbkdf_ValidateParameter(CK_
         /* There is no additional data to validate for byte arrays; we can
          * only assume the context is of the correct size. */
         break;
+    default:
+        /* don't allow unknown types */
+        return CKR_MECHANISM_PARAM_INVALID;
     }
 
     return CKR_OK;
@@ -250,14 +253,16 @@ static CK_RV kbkdf_ValidateParameters(CK
             return CKR_MECHANISM_PARAM_INVALID;
         }
 
-        /* Count that we have a parameter of this type. */
-        param_type_count[params->pDataParams[offset].type] += 1;
-
         /* Validate this parameter has acceptable values. */
         ret = kbkdf_ValidateParameter(mech, params->pDataParams + offset);
         if (ret != CKR_OK) {
-            return CKR_MECHANISM_PARAM_INVALID;
+            return ret;
         }
+        /* Count that we have a parameter of this type. */
+        /* Do this after we've validated the param to make sure we don't
+         * overflow our array */
+        PORT_Assert(params->pDataParams[offset].type < sizeof(param_type_count)/sizeof(param_type_count[0]));
+        param_type_count[params->pDataParams[offset].type] += 1;
     }
 
     if (mech == CKM_SP800_108_COUNTER_KDF || mech == CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA) {
@@ -306,18 +311,20 @@ static CK_RV kbkdf_ValidateParameters(CK
 /* [ section: parameter helpers ] */
 
 static void kbkdf_EncodeInteger(uint64_t integer, CK_ULONG num_bits, CK_BBOOL littleEndian, CK_BYTE_PTR output, CK_ULONG_PTR output_len) {
-    uint64_t reordered;
+    CK_ULONG num_bytes = num_bits/8;
+    CK_ULONG i;
     if (output_len) {
-        *output_len = (num_bits / 8);
+        *output_len = num_bytes;
     }
 
     if (littleEndian == CK_TRUE) {
-        reordered = htole64(integer);
-        memcpy(output, &reordered, num_bits/8);
+        for (i=0; i < num_bytes; i++) {
+            output[i] = (integer >> i*8) & 0xff;
+        }
     } else {
-        reordered = htobe64(integer);
-        reordered = reordered >> (64 - num_bits);
-        memcpy(output, &reordered, (num_bits/8));
+        for (i=num_bytes; i > 0; i--) {
+            output[num_bytes-i] = (integer >> (i-1)*8) & 0xff;
+        }
     }
 }