diff --git a/src/ssl.c b/src/ssl.c
index 254b9767a..a413c43f2 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -698,7 +698,9 @@ int wolfSSL_SetEchConfigs(WOLFSSL* ssl, const byte* echConfigs,
                 (WOLFSSL_EchConfig*)XMALLOC(sizeof(WOLFSSL_EchConfig),
                 ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
             configList = workingConfig;
-            workingConfig->next = NULL;
+            if (workingConfig != NULL) {
+                workingConfig->next = NULL;
+            }
         }
         else {
             lastConfig = workingConfig;
diff --git a/src/tls13.c b/src/tls13.c
index 33b5e9c36..404f8e143 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3349,12 +3349,14 @@ int CreateCookieExt(const WOLFSSL* ssl, byte* hash, word16 hashSz,
     TLSX* ext;
     word16 cookieSz = 0;
 
+    if (hash == NULL || hashSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
     /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */
     cookie[cookieSz++] = (byte)hashSz;
-    if (hashSz > 0) {
-        XMEMCPY(cookie + cookieSz, hash, hashSz);
-        cookieSz += hashSz;
-    }
+    XMEMCPY(cookie + cookieSz, hash, hashSz);
+    cookieSz += hashSz;
     cookie[cookieSz++] = cipherSuite0;
     cookie[cookieSz++] = cipherSuite;
     if ((ext = TLSX_Find(*exts, TLSX_KEY_SHARE)) != NULL) {
diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c
index 46079da94..b852c6067 100644
--- a/wolfcrypt/src/pkcs12.c
+++ b/wolfcrypt/src/pkcs12.c
@@ -1167,13 +1167,13 @@ static byte* PKCS12_ConcatonateContent(WC_PKCS12* pkcs12,byte* mergedData,
     /* re-allocate new buffer to fit appended data */
     mergedData = (byte*)XMALLOC(oldContentSz + inSz, pkcs12->heap,
             DYNAMIC_TYPE_PKCS);
-
-    if (oldContent != NULL) {
-        XMEMCPY(mergedData, oldContent, oldContentSz);
+    if (mergedData != NULL) {
+        if (oldContent != NULL) {
+            XMEMCPY(mergedData, oldContent, oldContentSz);
+        }
+        XMEMCPY(mergedData + oldContentSz, in, inSz);
+        *mergedSz += inSz;
     }
-    XMEMCPY(mergedData + oldContentSz, in, inSz);
-    *mergedSz += inSz;
-
     XFREE(oldContent, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 
     return mergedData;
@@ -1186,7 +1186,7 @@ static int PKCS12_CheckConstructedZero(byte* data, word32 dataSz, word32* idx)
     word32 oid;
     int    ret = 0;
     int    number, size;
-    byte   tag;
+    byte   tag = 0;
 
     if (GetSequence(data, idx, &size, dataSz) < 0) {
         ret = ASN_PARSE_E;
@@ -1214,7 +1214,7 @@ static int PKCS12_CheckConstructedZero(byte* data, word32 dataSz, word32* idx)
     if (ret == 0 && GetASNTag(data, idx, &tag, dataSz) < 0) {
         ret = ASN_PARSE_E;
     }
-    else if (ret == 0 && tag == 0xa0) {
+    else if (ret == 0 && tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
         ret = 1;
     }
 
@@ -1264,6 +1264,9 @@ static int PKCS12_CoalesceOctetStrings(WC_PKCS12* pkcs12, byte* data,
             }
             mergedData = PKCS12_ConcatonateContent(pkcs12, mergedData,
                     &mergedSz, &data[*idx], encryptedContentSz);
+            if (mergedData == NULL) {
+                ret = MEMORY_E;
+            }
         }
         if (ret != 0) {
             break;