diff --git a/src/internal.c b/src/internal.c
index b56f20299..caff84c25 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2040,13 +2040,10 @@ void SSL_ResourceFree(WOLFSSL* ssl)
           DYNAMIC_TYPE_COOKIE_PWD);
 #endif
 #endif /* WOLFSSL_DTLS */
-#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
-    FreeX509(&ssl->peerCert);
-#endif
 #if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS)
-    wolfSSL_BIO_free(ssl->biord);
-    if (ssl->biord != ssl->biowr)        /* in case same as write */
+    if (ssl->biord != ssl->biowr)        /* only free write if different */
         wolfSSL_BIO_free(ssl->biowr);
+    wolfSSL_BIO_free(ssl->biord);        /* always free read bio */
 #endif
 #ifdef HAVE_LIBZ
     FreeStreams(ssl);
@@ -2090,6 +2087,9 @@ void SSL_ResourceFree(WOLFSSL* ssl)
     if (ssl->nxCtx.nxPacket)
         nx_packet_release(ssl->nxCtx.nxPacket);
 #endif
+#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
+    FreeX509(&(ssl->peerCert));   /* clang thinks this frees ssl itslef */
+#endif
 }
 
 #ifdef WOLFSSL_TI_HASH
@@ -8130,14 +8130,22 @@ int SendCertificate(WOLFSSL* ssl)
         }
 
         if (IsEncryptionOn(ssl, 1)) {
-            byte* input;
+            byte* input = NULL;
             int   inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */
 
-            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
-            if (input == NULL)
-                return MEMORY_E;
+            if (inputSz < 0) {
+                WOLFSSL_MSG("Send Cert bad inputSz");
+                return BUFFER_E;
+            }
+
+            if (inputSz > 0) {  /* clang thinks could be zero, let's help */
+                input = (byte*)XMALLOC(inputSz, ssl->heap,
+                                       DYNAMIC_TYPE_TMP_BUFFER);
+                if (input == NULL)
+                    return MEMORY_E;
+                XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
+            }
 
-            XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
             sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake);
             XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
diff --git a/src/ssl.c b/src/ssl.c
index d748ff048..9dbd97fe7 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -2913,7 +2913,8 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
             WOLFSSL_MSG("Finished Processing Cert Chain");
 
             /* only retain actual size used */
-            shrinked = (byte*)XMALLOC(idx, heap, dynamicType);
+            if (idx > 0)  /* clang thinks it can be zero, let's help analysis */
+                shrinked = (byte*)XMALLOC(idx, heap, dynamicType);
             if (shrinked) {
                 if (ssl) {
                     if (ssl->buffers.certChain.buffer &&
@@ -2936,7 +2937,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
             if (dynamicBuffer)
                 XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE);
 
-            if (shrinked == NULL) {
+            if (idx > 0 && shrinked == NULL) {
             #ifdef WOLFSSL_SMALL_STACK
                 XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER);
             #endif
@@ -14843,6 +14844,7 @@ WOLFSSL_EC_POINT *wolfSSL_EC_POINT_new(const WOLFSSL_EC_GROUP *group)
     p->internal = wc_ecc_new_point();
     if (p->internal == NULL) {
         WOLFSSL_MSG("ecc_new_point failure");
+        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
         return NULL;
     }
 
@@ -15061,6 +15063,7 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_SIG_new(void)
         return NULL;
     }
 
+    sig->s = NULL;
     sig->r = wolfSSL_BN_new();
     if (sig->r == NULL) {
         WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA r failure");
@@ -15143,10 +15146,12 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen,
                 else if (SetIndividualExternal(&(sig->r), &sig_r)!=SSL_SUCCESS){
                     WOLFSSL_MSG("ecdsa r key error");
                     wolfSSL_ECDSA_SIG_free(sig);
+                    sig = NULL;
                 }
                 else if (SetIndividualExternal(&(sig->s), &sig_s)!=SSL_SUCCESS){
                     WOLFSSL_MSG("ecdsa s key error");
                     wolfSSL_ECDSA_SIG_free(sig);
+                    sig = NULL;
                 }
 
                 mp_clear(&sig_r);
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 5c9179283..ff73f69dd 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -2793,6 +2793,7 @@ static int GetName(DecodedCert* cert, int nameType)
                                               cert->heap, DYNAMIC_TYPE_ALTNAME);
                         if (emailName->name == NULL) {
                             WOLFSSL_MSG("\tOut of Memory");
+                            XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME);
                             return MEMORY_E;
                         }
                         XMEMCPY(emailName->name,
@@ -4453,6 +4454,7 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
             entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
             if (entry->name == NULL) {
                 WOLFSSL_MSG("allocate error");
+                XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME);
                 return MEMORY_E;
             }