Handshake State Misuse

TLS handshake code reuses or dereferences handshake-derived state (pointers, union fields, and extension/session parameters) without validating invariants, so failure paths or attacker-controlled alerts lead to NULL/invalid access or freed-memory writes.