Commit 30208ddb67 for openssl.org

commit 30208ddb671a29185ed9fe4188ee03a5daa0bac9
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Mon Feb 23 06:15:02 2026 +0100

    ssl/statem/extensions_srvr.c: free empty rcfgs in tls_construct_stoc_ech()

    Free rcfgs before return when rcfgslen is 0, mostly to placate
    Coverity, as it is expected to be NULL with the majority of realloc()
    implementations.

    Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681463
    Complements: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Wed Feb 25 11:10:55 2026
    (Merged from https://github.com/openssl/openssl/pull/30139)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 51159de03f..a2ec696fa5 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -2591,6 +2591,7 @@ EXT_RETURN tls_construct_stoc_ech(SSL_CONNECTION *s, WPACKET *pkt,
                                 "I've no configs set to be returned\n");
         }
         OSSL_TRACE_END(TLS);
+        OPENSSL_free(rcfgs);
         return EXT_RETURN_NOT_SENT;
     }
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ech)