From 5751319e000789bbb6e19bc6649493b4f7a51009 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Wed, 4 Nov 2020 23:11:42 -0600
Subject: [PATCH] fix various possibly spurious scan-build null deref reports.

---
 src/tls13.c         | 7 ++++++-
 wolfcrypt/src/asn.c | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/tls13.c b/src/tls13.c
index c76e894c7..eb996a65f 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -2843,6 +2843,9 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
     WOLFSSL_ENTER("DoTls13ServerHello");
 
+    if (ssl->arrays == NULL)
+        return BAD_FUNC_ARG;
+
 #ifdef WOLFSSL_CALLBACKS
     if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
     if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
@@ -6889,6 +6892,7 @@ static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
             /* Server's authenticating with PSK must not send this. */
             if (ssl->options.serverState ==
                                          SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
+                                                  ssl->arrays != NULL &&
                                                   ssl->arrays->psk_keySz != 0) {
                 WOLFSSL_MSG("CertificateRequset received while using PSK");
                 return SANITY_MSG_E;
@@ -6915,6 +6919,7 @@ static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
             #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
                 /* Server's authenticating with PSK must not send this. */
                 if (ssl->options.serverState == SERVER_CERT_COMPLETE &&
+                                                  ssl->arrays != NULL &&
                                                   ssl->arrays->psk_keySz != 0) {
                     WOLFSSL_MSG("CertificateVerify received while using PSK");
                     return SANITY_MSG_E;
@@ -6956,7 +6961,7 @@ static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
                 /* Must have seen certificate and verify from server except when
                  * using PSK. */
             #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
-                if (ssl->arrays->psk_keySz != 0) {
+                if (ssl->arrays != NULL && ssl->arrays->psk_keySz != 0) {
                     if (ssl->options.serverState !=
                                          SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
                         WOLFSSL_MSG("Finished received out of order");
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 565ea9b41..fa134724d 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -15477,6 +15477,9 @@ int StoreECC_DSA_Sig_Bin(byte* out, word32* outLen, const byte* r, word32 rLen,
     word32 headerSz = 4;   /* 2*ASN_TAG + 2*LEN(ENUM) */
     int rAddLeadZero, sAddLeadZero;
 
+    if ((out == NULL) || (outLen == NULL) || (r == NULL) || (s == NULL))
+        return BAD_FUNC_ARG;
+
     /* Trim leading zeros */
     rLen = trim_leading_zeros(&r, rLen);
     sLen = trim_leading_zeros(&s, sLen);