From b4c964f729aa4fb0c5092e874764ccc3b3b1569f Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 16 Sep 2020 12:45:25 -0700
Subject: [PATCH] Fix for possible NULL buffer use if certChain not loaded and
 OCSP cert request called.

---
 src/internal.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index e9bf1037d..11ee2c1cc 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -17465,6 +17465,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
             #else
                 DecodedCert  cert[1];
             #endif
+                DerBuffer* chain;
 
             #ifdef WOLFSSL_SMALL_STACK
                 cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
@@ -17481,14 +17482,20 @@ int SendCertificateStatus(WOLFSSL* ssl)
                     return MEMORY_E;
                 }
 
-                while (idx + OPAQUE24_LEN < ssl->buffers.certChain->length) {
-                    c24to32(ssl->buffers.certChain->buffer + idx, &der.length);
+                /* use certChain if available, otherwise use peer certificate */
+                chain = ssl->buffers.certChain;
+                if (chain == NULL) {
+                    chain = ssl->buffers.certificate;
+                }
+
+                while (chain && idx + OPAQUE24_LEN < chain->length) {
+                    c24to32(chain->buffer + idx, &der.length);
                     idx += OPAQUE24_LEN;
 
-                    der.buffer = ssl->buffers.certChain->buffer + idx;
+                    der.buffer = chain->buffer + idx;
                     idx += der.length;
 
-                    if (idx > ssl->buffers.certChain->length)
+                    if (idx > chain->length)
                         break;
 
                     ret = CreateOcspRequest(ssl, request, cert, der.buffer,