diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
index cef287a2c9..e1698a24da 100644
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -3449,6 +3449,7 @@ tls13_CopyKeyShareEntry(TLS13KeyShareEntry *o)
 
     if (SECSuccess != SECITEM_CopyItem(NULL, &n->key_exchange, &o->key_exchange)) {
         PORT_Free(n);
+        return NULL;
     }
     n->group = o->group;
     return n;
diff --git a/lib/ssl/tls13exthandle.c b/lib/ssl/tls13exthandle.c
index cc0ce02b56..8ed18f69cd 100644
--- a/lib/ssl/tls13exthandle.c
+++ b/lib/ssl/tls13exthandle.c
@@ -249,6 +249,7 @@ tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     }
 
     if (SSL_READER_REMAINING(&rdr)) {
+        tls13_DestroyKeyShareEntry(ks);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
         return SECFailure;
     }
@@ -1310,6 +1311,9 @@ tls13_ServerHandleEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     PRUint64 tmp;
     while (SSL_READER_REMAINING(&sniRdr)) {
         rv = sslRead_ReadNumber(&sniRdr, 1, &tmp);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
         if (tmp != 0) {
             goto loser;
         }