diff --git a/runtime/libcry_common.c b/runtime/libcry_common.c
index 682aaf2a6..64d564608 100644
--- a/runtime/libcry_common.c
+++ b/runtime/libcry_common.c
@@ -56,6 +56,10 @@ int cryGetKeyFromFile(const char *const fn, char **const key, unsigned *const ke
         errno = EMSGSIZE;
         goto done;
     }
+    if (sb.st_size == 0) {
+        errno = EINVAL;
+        goto done;
+    }
     if ((*key = malloc(sb.st_size)) == NULL) goto done;
     if (read(fd, *key, sb.st_size) != sb.st_size) goto done;
     *keylen = sb.st_size;
diff --git a/runtime/libossl.c b/runtime/libossl.c
index 66780b74c..40628395c 100644
--- a/runtime/libossl.c
+++ b/runtime/libossl.c
@@ -77,6 +77,10 @@ int osslGetKeyFromFile(const char* const fn, char** const key, unsigned* const k
         errno = EMSGSIZE;
         goto done;
     }
+    if (sb.st_size == 0) {
+        errno = EINVAL;
+        goto done;
+    }
     if ((*key = malloc(sb.st_size)) == NULL) goto done;
     if (read(fd, *key, sb.st_size) != sb.st_size) goto done;
     *keylen = sb.st_size;
diff --git a/runtime/lookup.c b/runtime/lookup.c
index 1e73baf41..c2ca70803 100644
--- a/runtime/lookup.c
+++ b/runtime/lookup.c
@@ -1051,6 +1051,11 @@ static rsRetVal ATTR_NONNULL()
         ABORT_FINALIZE(RS_RET_FILE_NOT_FOUND);
     }
 
+    if (sb.st_size == 0) {
+        LogError(0, RS_RET_JSON_PARSE_ERR, "lookup table file '%s' is empty", filename);
+        ABORT_FINALIZE(RS_RET_JSON_PARSE_ERR);
+    }
+
     CHKmalloc(iobuf = malloc(sb.st_size));
 
     tokener = json_tokener_new();
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 9918cc8b3..f406caaf4 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -1070,9 +1070,9 @@ static rsRetVal AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew, char *const connInfo)
     /* Store nsd_ossl_t* reference in SSL obj
      * Index allocation: 0=pTcp, 1=permitExpiredCerts, 2=imdtls instance, 3=revocationCheck
      */
-    SSL_set_ex_data(pNew->pNetOssl->ssl, 0, pThis->pTcp);
-    SSL_set_ex_data(pNew->pNetOssl->ssl, 1, &pThis->permitExpiredCerts);
-    SSL_set_ex_data(pNew->pNetOssl->ssl, 3, &pThis->DrvrTlsRevocationCheck);
+    SSL_set_ex_data(pNew->pNetOssl->ssl, 0, pNew->pTcp);
+    SSL_set_ex_data(pNew->pNetOssl->ssl, 1, &pNew->permitExpiredCerts);
+    SSL_set_ex_data(pNew->pNetOssl->ssl, 3, &pNew->DrvrTlsRevocationCheck);
 
     /* We now do the handshake */
     CHKiRet(osslHandshakeCheck(pNew));
diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
index c97de50de..c5d9c498b 100644
--- a/runtime/tcps_sess.c
+++ b/runtime/tcps_sess.c
@@ -737,7 +737,6 @@ static rsRetVal ATTR_NONNULL(1) processDataRcvd(tcps_sess_t *pThis,
                          cnf_params->pszInputName, peerName, peerIP, peerPort, c);
             }
             if (pThis->iOctetsRemain < 1) {
-                /* TODO: handle the case where the octet count is 0! */
                 LogError(0, NO_ERRCODE,
                          "imtcp %s: Framing Error in received TCP message from "
                          "peer: (hostname) %s, (ip) %s, (port) %s: invalid octet count %d.",
diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c
index bb17b2b72..56cbeb8c3 100644
--- a/runtime/tcpsrv.c
+++ b/runtime/tcpsrv.c
@@ -1008,6 +1008,7 @@ static rsRetVal ATTR_NONNULL(1)
     while (state == RS_READING || state == RS_STARVATION) {
         switch (state) {
             case RS_READING:
+                /* maxReads==0 is intentional and documented: it disables starvation protection. */
                 while (state == RS_READING && (maxReads == 0 || read_calls < maxReads)) {
                     iRet = pThis->pRcvData(pSess, buf, sizeof(buf), &iRcvd, &oserr, &pioDescr->ioDirection);