Don't init OCSP requests when cert is in bad state

julek-wolfssl · julek-wolfssl · commit 6cc35f88b99f · 2025-10-01T09:58:21.000+02:00
diff --git a/src/internal.c b/src/internal.c
@@ -15704,7 +15704,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     }
 
                 #ifdef HAVE_OCSP
-                    {
+                    if (ret == 0 ||
+                            /* Don't enter when args->dCert is potentially in
+                             * a bad state. */
+                            (ret != WC_NO_ERR_TRACE(ASN_PARSE_E) &&
+                             ret != WC_NO_ERR_TRACE(BUFFER_E) &&
+                             ret != WC_NO_ERR_TRACE(MEMORY_E) &&
+                             ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))) {
                         /* If we are processing OCSP staples then always
                          * initialize the corresponding request. */
                         int ocspRet = 0;
