diff --git a/src/internal.c b/src/internal.c
index aff16e83f..25577319c 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -30626,6 +30626,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 id = ssl->session->altSessionID;
                 idSz = ID_LEN;
             }
+            /* make sure idSz is not larger than ID_LEN */
+            if (idSz > ID_LEN)
+                idSz = ID_LEN;
             XMEMCPY(it.id, id, idSz);
         }
 #endif
diff --git a/src/ssl.c b/src/ssl.c
index 3fcb151e4..d2905de19 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -15769,6 +15769,9 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
         sessRow = NULL;
     }
 
+    /* Note: the `session` variable cannot be used below, since the row is
+     * un-locked */
+
     if (ret != WOLFSSL_SUCCESS)
         return ret;