diff --git a/nfq2/desync.c b/nfq2/desync.c
index eb07dac..836fc5d 100644
--- a/nfq2/desync.c
+++ b/nfq2/desync.c
@@ -609,7 +609,8 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, const struct dissect *
 	// if used in postnat chain, dropping initial packet will cause conntrack connection teardown
 	// so we need to workaround this.
 	// SYN and SYN,ACK checks are for conntrack-less mode
-	if (ctrack && (params.server ? ctrack->pos.server.pcounter : ctrack->pos.client.pcounter) == 1 || dis->tcp && (tcp_syn_segment(dis->tcp) || tcp_synack_segment(dis->tcp)))
+	if (ctrack && (params.server ? ctrack->pos.server.pcounter : ctrack->pos.client.pcounter) == 1 ||
+		!ctrack && dis->tcp && (tcp_syn_segment(dis->tcp) || tcp_synack_segment(dis->tcp)))
 	{
 		if (dis->len_pkt > *len_mod_pkt)
 			DLOG_ERR("linux postnat conntrack workaround cannot be applied\n");
@@ -1644,7 +1645,7 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const
 
 	if (bptr)
 	{
-		if (a>=e) return NULL;
+		if (a+1>=e) return NULL;
 		// name pointer
 		off = (*a & 0x3F)<<8 | a[1];
 		p = b + off;
diff --git a/nfq2/pools.c b/nfq2/pools.c
index b631447..bcf4940 100644
--- a/nfq2/pools.c
+++ b/nfq2/pools.c
@@ -524,10 +524,15 @@ struct kavl_bit_elem *kavl_bit_get(const struct kavl_bit_elem *hdr, const void *
 
 static bool ipset_kavl_add(struct kavl_bit_elem **ipset, const void *a, uint8_t preflen)
 {
-	uint8_t bytelen = (preflen+7)>>3;
-	uint8_t *abuf = malloc(bytelen);
-	if (!abuf) return false;
-	memcpy(abuf,a,bytelen);
+	uint8_t *abuf, bytelen = (preflen+7)>>3;
+	if (bytelen)
+	{
+		abuf = malloc(bytelen);
+		if (!abuf) return false;
+		memcpy(abuf,a,bytelen);
+	}
+	else
+		abuf = NULL;
 	if (!kavl_bit_add(ipset,abuf,preflen,0))
 	{
 		free(abuf);
@@ -912,12 +917,15 @@ struct blob_item *blob_collection_add_blob(struct blob_collection_head *head, co
 {
 	struct blob_item *entry = calloc(1,sizeof(struct blob_item));
 	if (!entry) return NULL;
-	if (!(entry->data = malloc(size+size_reserve))) 
+	if (size+size_reserve)
 	{
-		free(entry);
-		return NULL;
+		if (!(entry->data = malloc(size+size_reserve)))
+		{
+			free(entry);
+			return NULL;
+		}
+		if (data) memcpy(entry->data,data,size);
 	}
-	if (data) memcpy(entry->data,data,size);
 	entry->size = size;
 	entry->size_buf = size+size_reserve;