diff --git a/src/internal.c b/src/internal.c
index be6696c92..ed0dcd68f 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -22662,6 +22662,10 @@ exit_dpk:
         int                ret;
         word16             extSz = 0;
 
+        if (ssl == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
 #ifdef WOLFSSL_TLS13
         if (IsAtLeastTLSv1_3(ssl->version))
             return SendTls13ClientHello(ssl);
@@ -22719,6 +22723,10 @@ exit_dpk:
 #endif
         sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
 
+        if (ssl->arrays == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
 #ifdef WOLFSSL_DTLS
         if (ssl->options.dtls) {
             length += ENUM_LEN;   /* cookie */
diff --git a/src/tls13.c b/src/tls13.c
index 47510a6c1..04428314f 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3014,6 +3014,10 @@ int SendTls13ClientHello(WOLFSSL* ssl)
     WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
     WOLFSSL_ENTER("SendTls13ClientHello");
 
+    if (ssl == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
 #ifdef HAVE_SESSION_TICKET
     if (ssl->options.resuming &&
             (ssl->session.version.major != ssl->version.major ||
@@ -3130,6 +3134,9 @@ int SendTls13ClientHello(WOLFSSL* ssl)
     /* Keep for downgrade. */
     ssl->chVersion = ssl->version;
 
+    if (ssl->arrays == NULL) {
+        return BAD_FUNC_ARG;
+    }
     /* Client Random */
     if (ssl->options.connectState == CONNECT_BEGIN) {
         ret = wc_RNG_GenerateBlock(ssl->rng, args->output + args->idx, RAN_LEN);
@@ -9676,7 +9683,7 @@ int wolfSSL_CTX_get_max_early_data(WOLFSSL_CTX* ctx)
  *
  * ssl  The SSL/TLS object.
  * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
- * SIDE_ERROR when not a server and 
+ * SIDE_ERROR when not a server and
  * returns the maximum amount of early data to be set
  */
 int wolfSSL_get_max_early_data(WOLFSSL* ssl)
diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
index 61bef46d6..beb4088a8 100644
--- a/wolfcrypt/src/evp.c
+++ b/wolfcrypt/src/evp.c
@@ -1964,6 +1964,7 @@ int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx,
                     pkey->ownEcc = 1;
                 }
             }
+            break;
 #endif
         default:
             break;
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index b7bce2793..61d076db0 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -11692,8 +11692,8 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
             wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_ATRBEND);
             FALL_THROUGH;
 
-authenv_atrbend:
         case WC_PKCS7_AUTHENV_ATRBEND:
+authenv_atrbend:
         #ifndef NO_PKCS7_STREAM
             if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
                             ASN_TAG_SZ, &pkiMsg, &idx)) != 0) {
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 6b6b544fd..0f346cff4 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -311,12 +311,13 @@ decouple library dependencies with standard string, memory and so on.
     #ifndef FALL_THROUGH
         /* GCC 7 has new switch() fall-through detection */
         #if defined(__GNUC__)
-            #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
-                #if defined(WOLFSSL_LINUXKM) && defined(fallthrough)
-                    #define FALL_THROUGH fallthrough
-                #else
-                    #define FALL_THROUGH ; __attribute__ ((fallthrough))
-                #endif
+            #if defined(fallthrough)
+                #define FALL_THROUGH fallthrough
+            #elif ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
+                #define FALL_THROUGH ; __attribute__ ((fallthrough))
+            #elif defined(__clang__) && defined(__clang_major__) && \
+                    (__clang_major__ >= 11)
+                #define FALL_THROUGH ; __attribute__ ((fallthrough))
             #endif
         #endif
     #endif /* FALL_THROUGH */