Commit 9fe7bf3882 for openssl.org

commit 9fe7bf38822b60fd79504710c169db97ad522315
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Mon Feb 23 05:29:37 2026 +0100

    ssl/ech/ech_internal.c: avoid NULL dereference in ossl_ech_get_ch_offsets

    Do not call SSLfatal with s that can potentially be NULL.

    Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681455
    Fixes: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Wed Feb 25 11:10:47 2026
    (Merged from https://github.com/openssl/openssl/pull/30139)

diff --git a/ssl/ech/ech_internal.c b/ssl/ech/ech_internal.c
index bda806f2d3..cb9b846e3f 100644
--- a/ssl/ech/ech_internal.c
+++ b/ssl/ech/ech_internal.c
@@ -1132,7 +1132,9 @@ int ossl_ech_get_ch_offsets(SSL_CONNECTION *s, PACKET *pkt, size_t *sessid_off,
     const unsigned char *ch = NULL;
     size_t ch_len = 0, exts_len = 0, sni_len = 0, ech_len = 0;

-    if (s == NULL || pkt == NULL || sessid_off == NULL || exts_off == NULL
+    if (s == NULL)
+        return 0;
+    if (pkt == NULL || sessid_off == NULL || exts_off == NULL
         || ech_off == NULL || echtype == NULL || inner == NULL
         || sni_off == NULL) {
         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);