diff --git a/src/internal.c b/src/internal.c
index c5e4554e5..57fdb6e40 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -1063,12 +1063,12 @@ static int ImportPeerInfo(WOLFSSL* ssl, byte* buf, word32 len, byte ver)
 
     /* import ip address idx, and ipSz are unsigned but cast for enum */
     ato16(buf + idx, &ipSz); idx += DTLS_EXPORT_LEN;
-    if (ipSz > sizeof(ip) || (word16)(idx + ipSz + DTLS_EXPORT_LEN) > len) {
+    if (ipSz >= sizeof(ip) || (word16)(idx + ipSz + DTLS_EXPORT_LEN) > len) {
         return BUFFER_E;
     }
     XMEMSET(ip, 0, sizeof(ip));
     XMEMCPY(ip, buf + idx, ipSz); idx += ipSz;
-    ip[ipSz] = '\0';
+    ip[ipSz] = '\0'; /* with check that ipSz less than ip this is valid */
     ato16(buf + idx, &port); idx += DTLS_EXPORT_LEN;
 
     /* sanity check for a function to call, then use it to import peer info */
diff --git a/src/ssl.c b/src/ssl.c
index 9e502ea36..f4ebd6362 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -12832,8 +12832,10 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
 
         if (buf != NULL && text != NULL) {
             textSz = min(textSz, len);
-            XMEMCPY(buf, text, textSz);
-            buf[textSz] = '\0';
+            if (textSz > 0) {
+                XMEMCPY(buf, text, textSz - 1);
+                buf[textSz - 1] = '\0';
+            }
         }
 
         WOLFSSL_LEAVE("wolfSSL_X509_NAME_get_text_by_NID", textSz);