Commit 3e08902de4 for openssl.org
commit 3e08902de4bb19862c346dde7969ca907c5d7528
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date: Mon Feb 23 05:06:18 2026 +0100
ssl/ech/ech_internal.c: check WPACKET_get_total_written in ossl_ech_send_grease
Check the result of WPACKET_get_total_written() calls
in ossl_ech_send_grease(), as is done elsewhere.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681451
Fixes: ade10c5dbf20 "ECH client side"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:42 2026
(Merged from https://github.com/openssl/openssl/pull/30139)
diff --git a/ssl/ech/ech_internal.c b/ssl/ech/ech_internal.c
index 3ae7e89a95..967b6d403c 100644
--- a/ssl/ech/ech_internal.c
+++ b/ssl/ech/ech_internal.c
@@ -300,7 +300,10 @@ int ossl_ech_send_grease(SSL_CONNECTION *s, WPACKET *pkt)
unsigned char cipher[OSSL_ECH_MAX_GREASE_CT];
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
- WPACKET_get_total_written(pkt, &pp_at_start);
+ if (!WPACKET_get_total_written(pkt, &pp_at_start)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
/* randomly select cipher_len to be one of 144, 176, 208, 244 */
if (RAND_bytes_ex(sctx->libctx, &cid, 1, 0) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@@ -345,7 +348,10 @@ int ossl_ech_send_grease(SSL_CONNECTION *s, WPACKET *pkt)
}
/* record the ECH sent so we can re-tx same if we hit an HRR */
OPENSSL_free(s->ext.ech.sent);
- WPACKET_get_total_written(pkt, &pp_at_end);
+ if (!WPACKET_get_total_written(pkt, &pp_at_end)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
s->ext.ech.sent_len = pp_at_end - pp_at_start;
s->ext.ech.sent = OPENSSL_malloc(s->ext.ech.sent_len);
if (s->ext.ech.sent == NULL) {