From 8491eb5acbc4890fbd69465265b9b00024b2f7bf Mon Sep 17 00:00:00 2001
From: Shubham Mittal <107728331+smittals2@users.noreply.github.com>
Date: Tue, 4 Mar 2025 16:25:53 -0800
Subject: [PATCH] Coverity Fix (#2236)

### Issues:
`P204971226`

### Description of changes:
Add a explicit null check to ensure a valid leaf cert exists. We know in
current usage this will always be the case. Null check added for
future-proofing.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
---
 ssl/ssl_cert.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index 49175439a3..9209039e27 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -286,7 +286,12 @@ static int cert_set_chain_and_key(
     return 0;
   }
 
-  switch (check_leaf_cert_and_privkey(sk_CRYPTO_BUFFER_value(certs.get(), 0), privkey)) {
+  CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(certs.get(), 0);
+  if (leaf_buf == nullptr) {
+    return 0;
+  }
+
+  switch (check_leaf_cert_and_privkey(leaf_buf, privkey)) {
     case leaf_cert_and_privkey_error:
       return 0;
     case leaf_cert_and_privkey_mismatch: