Merge pull request #8700 from embhorn/rel_fixes_cs

JacobBarthelmeh · web-flow · commit c22505a71a97 · 2025-04-23T11:36:15.000-06:00
Fixes from CodeSonar report
diff --git a/src/internal.c b/src/internal.c
@@ -14180,8 +14180,10 @@ int SetupStoreCtxCallback(WOLFSSL_X509_STORE_CTX** store_pt,
     if (store != NULL)
         wolfSSL_X509_STORE_CTX_free(store);
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-    if (x509 != NULL)
+    if (x509 != NULL) {
         wolfSSL_X509_free(x509);
+        x509 = NULL;
+    }
 #endif
     XFREE(domain, heap, DYNAMIC_TYPE_STRING);
     return MEMORY_E;
@@ -14607,6 +14609,7 @@ int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
                     if (x509 != NULL) {
                        ret = wolfSSL_X509_STORE_add_cert(store, x509);
                        wolfSSL_X509_free(x509);
+                       x509 = NULL;
                     } else {
                        WOLFSSL_MSG("failed to load certificate");
                        ret = WOLFSSL_FAILURE;
@@ -31664,6 +31667,7 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
                     return CLIENT_CERT_CB_ERROR;
                 }
                 wolfSSL_X509_free(x509);
+                x509 = NULL;
                 wolfSSL_EVP_PKEY_free(pkey);
 
             }
diff --git a/src/keys.c b/src/keys.c
@@ -124,6 +124,9 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite,
     }
 #endif /* NO_WOLFSSL_CLIENT */
 
+    /* Initialize specs */
+    XMEMSET(specs, 0, sizeof(CipherSpecs));
+
     /* Chacha extensions, 0xcc */
     if (cipherSuite0 == CHACHA_BYTE) {
 
diff --git a/src/pk.c b/src/pk.c
@@ -731,7 +731,7 @@ static int wolfssl_print_indent(WOLFSSL_BIO* bio, char* line, int lineLen,
     if (indent > 0) {
         /* Print indent spaces. */
         int len_wanted = XSNPRINTF(line, (size_t)lineLen, "%*s", indent, " ");
-        if (len_wanted >= lineLen) {
+        if ((len_wanted < 0) || (len_wanted >= lineLen)) {
             WOLFSSL_ERROR_MSG("Buffer overflow formatting indentation");
             ret = 0;
         }
@@ -16173,6 +16173,11 @@ static int pem_write_data(const char *name, const char *header,
         *pemOut = pem;
         *pemOutLen = (word32)((size_t)p - (size_t)pem);
     }
+    else {
+        /* Dispose of any allocated memory. */
+        XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        pem = NULL;
+    }
 
     return ret;
 }
diff --git a/src/ssl.c b/src/ssl.c
@@ -1006,7 +1006,7 @@ int GetEchConfigsEx(WOLFSSL_EchConfig* configs, byte* output, word32* outputLen)
     word32 totalLen = 2;
     word32 workingOutputLen;
 
-    if (configs == NULL || outputLen == NULL)
+    if (configs == NULL || outputLen == NULL || *outputLen < totalLen)
         return BAD_FUNC_ARG;
 
     workingOutputLen = *outputLen - totalLen;
@@ -12511,6 +12511,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
             err = WOLFSSL_SUCCESS;
 cleanup:
             wolfSSL_X509_free(cert);
+            cert = NULL;
             wolfSSL_BIO_free(bio);
             if (err != WOLFSSL_SUCCESS) {
                 /* We failed so return NULL */
@@ -14520,6 +14521,7 @@ static int PushCAx509Chain(WOLFSSL_CERT_MANAGER* cm,
             break;
         if (wolfSSL_sk_X509_push(sk, issuer) <= 0) {
             wolfSSL_X509_free(issuer);
+            issuer = NULL;
             return WOLFSSL_FATAL_ERROR;
         }
         x = issuer;
@@ -14565,6 +14567,7 @@ static WOLF_STACK_OF(WOLFSSL_X509)* CreatePeerCertChain(const WOLFSSL* ssl,
         if (err != 0) {
             WOLFSSL_MSG("Error decoding cert");
             wolfSSL_X509_free(x509);
+            x509 = NULL;
             wolfSSL_sk_X509_pop_free(sk, NULL);
             return NULL;
         }
@@ -21159,6 +21162,7 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt)
                     WOLFSSL_MSG("Error adding certificate to context");
                     /* Decrease reference count on failure */
                     wolfSSL_X509_free(x509);
+                    x509 = NULL;
                 }
             }
         }
@@ -22993,7 +22997,7 @@ int wolfSSL_sk_WOLFSSL_STRING_num(WOLF_STACK_OF(WOLFSSL_STRING)* strings)
 void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, const unsigned char **data,
                                 unsigned int *len)
 {
-    word16 nameLen;
+    word16 nameLen = 0;
 
     if (ssl != NULL && data != NULL && len != NULL) {
         TLSX_ALPN_GetRequest(ssl->extensions, (void **)data, &nameLen);
diff --git a/src/ssl_certman.c b/src/ssl_certman.c
@@ -397,6 +397,7 @@ WOLFSSL_STACK* wolfSSL_CertManagerGetCerts(WOLFSSL_CERT_MANAGER* cm)
         /* Decode certificate. */
         if ((!err) && (wolfSSL_sk_X509_push(sk, x509) <= 0)) {
             wolfSSL_X509_free(x509);
+            x509 = NULL;
             err = 1;
         }
     }
diff --git a/src/ssl_load.c b/src/ssl_load.c
@@ -4839,6 +4839,7 @@ long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
     if (ret == 1) {
         /* On success WOLFSSL_X509 memory is responsibility of SSL context. */
         wolfSSL_X509_free(x509);
+        x509 = NULL;
     }
 
     WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret);
@@ -4932,6 +4933,7 @@ int wolfSSL_CTX_add0_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
     if (ret == 1) {
         /* Down reference or free original now as we own certificate. */
         wolfSSL_X509_free(x509);
+        x509 = NULL;
     }
 
     return ret;
@@ -4990,6 +4992,7 @@ int wolfSSL_CTX_add1_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
         if (ret != 1) {
             /* Decrease reference count on error as we didn't store it. */
             wolfSSL_X509_free(x509);
+            x509 = NULL;
         }
     }
 
@@ -5053,6 +5056,7 @@ int wolfSSL_add0_chain_cert(WOLFSSL* ssl, WOLFSSL_X509* x509)
             if (ret != 1) {
                 /* Free it now on error. */
                 wolfSSL_X509_free(x509);
+                x509 = NULL;
             }
         }
     }
@@ -5085,6 +5089,7 @@ int wolfSSL_add1_chain_cert(WOLFSSL* ssl, WOLFSSL_X509* x509)
         if ((ret = wolfSSL_add0_chain_cert(ssl, x509)) != 1) {
             /* Decrease reference count on error as not stored. */
             wolfSSL_X509_free(x509);
+            x509 = NULL;
         }
     }
 
diff --git a/src/ssl_p7p12.c b/src/ssl_p7p12.c
@@ -227,6 +227,7 @@ WOLFSSL_STACK* wolfSSL_PKCS7_to_stack(PKCS7* pkcs7)
         if (x509) {
             if (wolfSSL_sk_X509_push(ret, x509) <= 0) {
                 wolfSSL_X509_free(x509);
+                x509 = NULL;
                 WOLFSSL_MSG("wolfSSL_sk_X509_push error");
                 goto error;
             }
@@ -1176,6 +1177,8 @@ PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in,
                                           DYNAMIC_TYPE_PKCS7);
             if (canonSection == NULL) {
                 goto error;
+            } else {
+                XMEMSET(canonSection, 0, (word32)canonSize);
             }
 
             lineLen = wolfSSL_BIO_gets(in, section, remainLen);
@@ -1908,12 +1911,14 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
                 WOLFSSL_MSG("Issue with parsing certificate");
                 FreeDecodedCert(DeCert);
                 wolfSSL_X509_free(x509);
+                x509 = NULL;
             }
             else {
                 if (CopyDecodedToX509(x509, DeCert) != 0) {
                     WOLFSSL_MSG("Failed to copy decoded cert");
                     FreeDecodedCert(DeCert);
                     wolfSSL_X509_free(x509);
+                    x509 = NULL;
                     wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL;
                     XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY);
                     XFREE(certData, heap, DYNAMIC_TYPE_PKCS);
@@ -1933,6 +1938,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
                 if (wolfSSL_sk_X509_push(*ca, x509) <= 0) {
                     WOLFSSL_MSG("Failed to push x509 onto stack");
                     wolfSSL_X509_free(x509);
+                    x509 = NULL;
                     wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL;
                     XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY);
                     XFREE(certData, heap, DYNAMIC_TYPE_PKCS);
diff --git a/src/ssl_sess.c b/src/ssl_sess.c
@@ -1452,6 +1452,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
 #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
     if (peer != NULL) {
         wolfSSL_X509_free(peer);
+        peer = NULL;
     }
 #endif
 
diff --git a/src/tls13.c b/src/tls13.c
@@ -8692,6 +8692,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)
                 ssl->options.sendVerify = SEND_CERT;
             }
             wolfSSL_X509_free(x509);
+            x509 = NULL;
             wolfSSL_EVP_PKEY_free(pkey);
         }
     }
diff --git a/src/x509.c b/src/x509.c
@@ -3599,9 +3599,8 @@ char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME* name, char* in, int sz)
                 WOLFSSL_MSG("Memory error");
                 return NULL;
             }
-            if ((strLen = XSNPRINTF(str, (size_t)strSz, "%s=%s, ", sn, buf))
-                >= strSz)
-            {
+            strLen = XSNPRINTF(str, (size_t)strSz, "%s=%s, ", sn, buf);
+            if ((strLen  < 0) || (strLen  >= strSz)) {
                 WOLFSSL_MSG("buffer overrun");
                 XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER);
                 return NULL;
@@ -3617,8 +3616,8 @@ char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME* name, char* in, int sz)
                 WOLFSSL_MSG("Memory error");
                 return NULL;
             }
-            if ((strLen = XSNPRINTF(str, (size_t)strSz, "%s=%s", sn,
-                    buf)) >= strSz) {
+            strLen = XSNPRINTF(str, (size_t)strSz, "%s=%s", sn, buf);
+            if ((strLen  < 0) || (strLen  >= strSz)) {
                 WOLFSSL_MSG("buffer overrun");
                 XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER);
                 return NULL;
@@ -6971,7 +6970,7 @@ static int X509PrintPubKey(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent)
         case ECDSAk:
             len = XSNPRINTF(scratch, MAX_WIDTH,
                     "%*sPublic Key Algorithm: EC\n", indent + 4, "");
-            if (len >= MAX_WIDTH)
+            if ((len < 0) || (len >= MAX_WIDTH))
                 return WOLFSSL_FAILURE;
             if (wolfSSL_BIO_write(bio, scratch, len) <= 0)
                 return WOLFSSL_FAILURE;
@@ -7033,22 +7032,21 @@ static int X509PrintVersion(WOLFSSL_BIO* bio, int version, int indent)
     char scratch[MAX_WIDTH];
     int scratchLen;
 
-    if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH,
-                                 "%*s%s", indent, "", "Version:"))
-        >= MAX_WIDTH)
-    {
+    scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Version:");
+    if ((scratchLen < 0) || (scratchLen >= MAX_WIDTH)) {
         return WOLFSSL_FAILURE;
     }
+
     if (wolfSSL_BIO_write(bio, scratch, scratchLen) <= 0) {
         return WOLFSSL_FAILURE;
     }
 
-    if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH,
-                                 " %d (0x%x)\n", version, (byte)version-1))
-        >= MAX_WIDTH)
-    {
+    scratchLen = XSNPRINTF(scratch, MAX_WIDTH, " %d (0x%x)\n",
+                    version, (byte)version-1);
+    if ((scratchLen < 0) || (scratchLen >= MAX_WIDTH)) {
         return WOLFSSL_FAILURE;
     }
+
     if (wolfSSL_BIO_write(bio, scratch, scratchLen) <= 0) {
         return WOLFSSL_FAILURE;
     }
@@ -8064,6 +8062,7 @@ int wc_GeneratePreTBS(DecodedCert* cert, byte *der, int derSz) {
 
     if (x != NULL) {
         wolfSSL_X509_free(x);
+        x = NULL;
     }
 
     return ret;
diff --git a/src/x509_str.c b/src/x509_str.c
@@ -100,6 +100,7 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx)
 
         if (ctx->current_issuer != NULL) {
             wolfSSL_X509_free(ctx->current_issuer);
+            ctx->current_issuer = NULL;
         }
 #endif
 
@@ -815,6 +816,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
             if (wolfSSL_sk_X509_push(sk, x509) <= 0) {
                 WOLFSSL_MSG("Unable to load x509 into stack");
                 wolfSSL_X509_free(x509);
+                x509 = NULL;
                 error = 1;
                 break;
             }
@@ -837,18 +839,21 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
                             WOLFSSL_MSG("Unable to load CA x509 into stack");
                             error = 1;
                             wolfSSL_X509_free(issuer);
+                            issuer = NULL;
                         }
                     }
                     else {
                         WOLFSSL_MSG("Certificate is self signed");
                         wolfSSL_X509_free(issuer);
+                        issuer = NULL;
                     }
                 }
                 else {
                     WOLFSSL_MSG("Could not find CA for certificate");
                 }
             }
             wolfSSL_X509_free(x509);
+            x509 = NULL;
         }
 #endif
         if (error) {
@@ -968,6 +973,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(
                                 <= 0) {
                         err = 1;
                         wolfSSL_X509_free(filteredCert);
+                        filteredCert = NULL;
                         break;
                     }
                 }
@@ -1405,6 +1411,7 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)
                     else {
                         result = WOLFSSL_FATAL_ERROR;
                         wolfSSL_X509_free(x509);
+                        x509 = NULL;
                     }
                 }
             }
@@ -1420,6 +1427,7 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)
                     else {
                         result = WOLFSSL_FATAL_ERROR;
                         wolfSSL_X509_free(x509);
+                        x509 = NULL;
                     }
                 }
             }
@@ -1491,7 +1499,7 @@ int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,
             }
         }
         wolfSSL_X509_free(x509);
-
+        x509 = NULL;
     }
     else {
         ret = WOLFSSL_FAILURE;
@@ -1788,6 +1796,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s)
             if (wolfSSL_sk_X509_push(sk, x509) <= 0) {
                 WOLFSSL_MSG("Unable to load x509 into stack");
                 wolfSSL_X509_free(x509);
+                x509 = NULL;
                 goto error;
             }
         }
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -36772,6 +36772,9 @@ int wc_Ed25519PublicKeyDecode(const byte* input, word32* inOutIdx,
         return BAD_FUNC_ARG;
     }
 
+    /* init pubKey */
+    XMEMSET(pubKey, 0, sizeof(pubKey));
+
     ret = DecodeAsymKeyPublic(input, inOutIdx, inSz,
         pubKey, &pubKeyLen, ED25519k);
     if (ret == 0) {
@@ -36812,6 +36815,9 @@ int wc_Curve25519PublicKeyDecode(const byte* input, word32* inOutIdx,
         return BAD_FUNC_ARG;
     }
 
+    /* init pubKey */
+    XMEMSET(pubKey, 0, sizeof(pubKey));
+
     ret = DecodeAsymKeyPublic(input, inOutIdx, inSz,
         pubKey, &pubKeyLen, X25519k);
     if (ret == 0) {
@@ -37214,6 +37220,9 @@ int wc_Curve448PublicKeyDecode(const byte* input, word32* inOutIdx,
         return BAD_FUNC_ARG;
     }
 
+    /* init pubKey */
+    XMEMSET(pubKey, 0, sizeof(pubKey));
+
     ret = DecodeAsymKeyPublic(input, inOutIdx, inSz,
         pubKey, &pubKeyLen, X448k);
     if (ret == 0) {
diff --git a/wolfcrypt/src/cpuid.c b/wolfcrypt/src/cpuid.c
diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,9 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite,`
`124`	`124`	`}`
`125`	`125`	`#endif /* NO_WOLFSSL_CLIENT */`
`126`	`126`
	`127`	`+ /* Initialize specs */`
	`128`	`+ XMEMSET(specs, 0, sizeof(CipherSpecs));`
	`129`	`+`
`127`	`130`	`/* Chacha extensions, 0xcc */`
`128`	`131`	`if (cipherSuite0 == CHACHA_BYTE) {`
`129`	`132`
Original file line number	Diff line number	Diff line change
`@@ -731,7 +731,7 @@ static int wolfssl_print_indent(WOLFSSL_BIO* bio, char* line, int lineLen,`
`731`	`731`	`if (indent > 0) {`
`732`	`732`	`/* Print indent spaces. */`
`733`	`733`	`int len_wanted = XSNPRINTF(line, (size_t)lineLen, "%*s", indent, " ");`
`734`		`- if (len_wanted >= lineLen) {`
	`734`	`+ if ((len_wanted < 0) \|\| (len_wanted >= lineLen)) {`
`735`	`735`	`WOLFSSL_ERROR_MSG("Buffer overflow formatting indentation");`
`736`	`736`	`ret = 0;`
`737`	`737`	`}`
`@@ -16173,6 +16173,11 @@ static int pem_write_data(const char name, const char header,`
`16173`	`16173`	`*pemOut = pem;`
`16174`	`16174`	`*pemOutLen = (word32)((size_t)p - (size_t)pem);`
`16175`	`16175`	`}`
	`16176`	`+ else {`
	`16177`	`+ /* Dispose of any allocated memory. */`
	`16178`	`+ XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
	`16179`	`+ pem = NULL;`
	`16180`	`+ }`
`16176`	`16181`
`16177`	`16182`	`return ret;`
`16178`	`16183`	`}`
Original file line number	Diff line number	Diff line change
`@@ -397,6 +397,7 @@ WOLFSSL_STACK* wolfSSL_CertManagerGetCerts(WOLFSSL_CERT_MANAGER* cm)`
`397`	`397`	`/* Decode certificate. */`
`398`	`398`	`if ((!err) && (wolfSSL_sk_X509_push(sk, x509) <= 0)) {`
`399`	`399`	`wolfSSL_X509_free(x509);`
	`400`	`+ x509 = NULL;`
`400`	`401`	`err = 1;`
`401`	`402`	`}`
`402`	`403`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4839,6 +4839,7 @@ long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)`
`4839`	`4839`	`if (ret == 1) {`
`4840`	`4840`	`/* On success WOLFSSL_X509 memory is responsibility of SSL context. */`
`4841`	`4841`	`wolfSSL_X509_free(x509);`
	`4842`	`+ x509 = NULL;`
`4842`	`4843`	`}`
`4843`	`4844`
`4844`	`4845`	`WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret);`
`@@ -4932,6 +4933,7 @@ int wolfSSL_CTX_add0_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)`
`4932`	`4933`	`if (ret == 1) {`
`4933`	`4934`	`/* Down reference or free original now as we own certificate. */`
`4934`	`4935`	`wolfSSL_X509_free(x509);`
	`4936`	`+ x509 = NULL;`
`4935`	`4937`	`}`
`4936`	`4938`
`4937`	`4939`	`return ret;`
`@@ -4990,6 +4992,7 @@ int wolfSSL_CTX_add1_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)`
`4990`	`4992`	`if (ret != 1) {`
`4991`	`4993`	`/* Decrease reference count on error as we didn't store it. */`
`4992`	`4994`	`wolfSSL_X509_free(x509);`
	`4995`	`+ x509 = NULL;`
`4993`	`4996`	`}`
`4994`	`4997`	`}`
`4995`	`4998`
`@@ -5053,6 +5056,7 @@ int wolfSSL_add0_chain_cert(WOLFSSL* ssl, WOLFSSL_X509* x509)`
`5053`	`5056`	`if (ret != 1) {`
`5054`	`5057`	`/* Free it now on error. */`
`5055`	`5058`	`wolfSSL_X509_free(x509);`
	`5059`	`+ x509 = NULL;`
`5056`	`5060`	`}`
`5057`	`5061`	`}`
`5058`	`5062`	`}`
`@@ -5085,6 +5089,7 @@ int wolfSSL_add1_chain_cert(WOLFSSL* ssl, WOLFSSL_X509* x509)`
`5085`	`5089`	`if ((ret = wolfSSL_add0_chain_cert(ssl, x509)) != 1) {`
`5086`	`5090`	`/* Decrease reference count on error as not stored. */`
`5087`	`5091`	`wolfSSL_X509_free(x509);`
	`5092`	`+ x509 = NULL;`
`5088`	`5093`	`}`
`5089`	`5094`	`}`
`5090`	`5095`
Original file line number	Diff line number	Diff line change
`@@ -1452,6 +1452,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)`
`1452`	`1452`	`#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)`
`1453`	`1453`	`if (peer != NULL) {`
`1454`	`1454`	`wolfSSL_X509_free(peer);`
	`1455`	`+ peer = NULL;`
`1455`	`1456`	`}`
`1456`	`1457`	`#endif`
`1457`	`1458`
Original file line number	Diff line number	Diff line change
`@@ -8692,6 +8692,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)`
`8692`	`8692`	`ssl->options.sendVerify = SEND_CERT;`
`8693`	`8693`	`}`
`8694`	`8694`	`wolfSSL_X509_free(x509);`
	`8695`	`+ x509 = NULL;`
`8695`	`8696`	`wolfSSL_EVP_PKEY_free(pkey);`
`8696`	`8697`	`}`
`8697`	`8698`	`}`
Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,7 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx)`
`100`	`100`
`101`	`101`	`if (ctx->current_issuer != NULL) {`
`102`	`102`	`wolfSSL_X509_free(ctx->current_issuer);`
	`103`	`+ ctx->current_issuer = NULL;`
`103`	`104`	`}`
`104`	`105`	`#endif`
`105`	`106`
`@@ -815,6 +816,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)`
`815`	`816`	`if (wolfSSL_sk_X509_push(sk, x509) <= 0) {`
`816`	`817`	`WOLFSSL_MSG("Unable to load x509 into stack");`
`817`	`818`	`wolfSSL_X509_free(x509);`
	`819`	`+ x509 = NULL;`
`818`	`820`	`error = 1;`
`819`	`821`	`break;`
`820`	`822`	`}`
`@@ -837,18 +839,21 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)`
`837`	`839`	`WOLFSSL_MSG("Unable to load CA x509 into stack");`
`838`	`840`	`error = 1;`
`839`	`841`	`wolfSSL_X509_free(issuer);`
	`842`	`+ issuer = NULL;`
`840`	`843`	`}`
`841`	`844`	`}`
`842`	`845`	`else {`
`843`	`846`	`WOLFSSL_MSG("Certificate is self signed");`
`844`	`847`	`wolfSSL_X509_free(issuer);`
	`848`	`+ issuer = NULL;`
`845`	`849`	`}`
`846`	`850`	`}`
`847`	`851`	`else {`
`848`	`852`	`WOLFSSL_MSG("Could not find CA for certificate");`
`849`	`853`	`}`
`850`	`854`	`}`
`851`	`855`	`wolfSSL_X509_free(x509);`
	`856`	`+ x509 = NULL;`
`852`	`857`	`}`
`853`	`858`	`#endif`
`854`	`859`	`if (error) {`
`@@ -968,6 +973,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(`
`968`	`973`	`<= 0) {`
`969`	`974`	`err = 1;`
`970`	`975`	`wolfSSL_X509_free(filteredCert);`
	`976`	`+ filteredCert = NULL;`
`971`	`977`	`break;`
`972`	`978`	`}`
`973`	`979`	`}`
`@@ -1405,6 +1411,7 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)`
`1405`	`1411`	`else {`
`1406`	`1412`	`result = WOLFSSL_FATAL_ERROR;`
`1407`	`1413`	`wolfSSL_X509_free(x509);`
	`1414`	`+ x509 = NULL;`
`1408`	`1415`	`}`
`1409`	`1416`	`}`
`1410`	`1417`	`}`
`@@ -1420,6 +1427,7 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)`
`1420`	`1427`	`else {`
`1421`	`1428`	`result = WOLFSSL_FATAL_ERROR;`
`1422`	`1429`	`wolfSSL_X509_free(x509);`
	`1430`	`+ x509 = NULL;`
`1423`	`1431`	`}`
`1424`	`1432`	`}`
`1425`	`1433`	`}`
`@@ -1491,7 +1499,7 @@ int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,`
`1491`	`1499`	`}`
`1492`	`1500`	`}`
`1493`	`1501`	`wolfSSL_X509_free(x509);`
`1494`		`-`
	`1502`	`+ x509 = NULL;`
`1495`	`1503`	`}`
`1496`	`1504`	`else {`
`1497`	`1505`	`ret = WOLFSSL_FAILURE;`
`@@ -1788,6 +1796,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s)`
`1788`	`1796`	`if (wolfSSL_sk_X509_push(sk, x509) <= 0) {`
`1789`	`1797`	`WOLFSSL_MSG("Unable to load x509 into stack");`
`1790`	`1798`	`wolfSSL_X509_free(x509);`
	`1799`	`+ x509 = NULL;`
`1791`	`1800`	`goto error;`
`1792`	`1801`	`}`
`1793`	`1802`	`}`