Don't init OCSP requests when cert is in bad state

julek-wolfssl · julek-wolfssl · commit bb5b53deda75 · 2025-09-30T14:19:31.000+02:00
diff --git a/src/internal.c b/src/internal.c
@@ -15687,7 +15687,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     }
 
                 #ifdef HAVE_OCSP
-                    {
+                    if (ret == 0 ||
+                            /* Don't enter when args->dCert is potentially in
+                             * a bad state. */
+                            (ret != WC_NO_ERR_TRACE(ASN_PARSE_E) &&
+                             ret != WC_NO_ERR_TRACE(BUFFER_E) &&
+                             ret != WC_NO_ERR_TRACE(MEMORY_E) &&
+                             ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))) {
                         /* If we are processing OCSP staples then always
                          * initialize the corresponding request. */
                         int ocspRet = 0;
