From 821fd3c89823467f2fd2c975ed2a71e0975c4db1 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 25 Feb 2022 10:58:19 -0800
Subject: [PATCH] Peer review fixes. Check idSz and add comment about session
 variable use.

---
 src/internal.c | 3 +++
 src/ssl.c      | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index aff16e83f..25577319c 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -30626,6 +30626,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 id = ssl->session->altSessionID;
                 idSz = ID_LEN;
             }
+            /* make sure idSz is not larger than ID_LEN */
+            if (idSz > ID_LEN)
+                idSz = ID_LEN;
             XMEMCPY(it.id, id, idSz);
         }
 #endif
diff --git a/src/ssl.c b/src/ssl.c
index 3fcb151e4..d2905de19 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -15769,6 +15769,9 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
         sessRow = NULL;
     }
 
+    /* Note: the `session` variable cannot be used below, since the row is
+     * un-locked */
+
     if (ret != WOLFSSL_SUCCESS)
         return ret;