Commit bbd93b02c4 for openssl.org

commit bbd93b02c469fddc27383b7c449714ea9c066ee4
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Mon Feb 23 05:47:39 2026 +0100

    ssl/ech/ech_store.c: avoid uninitialised WPACKET use in OSSL_ECHSTORE_new_config

    Do not call WPACKET_cleanup() in case of WPACKET_init() failure
    and earlier errors.

    Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681459
    Fixes: 4af71a77387c "ECH CLI implementation"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Wed Feb 25 11:10:51 2026
    (Merged from https://github.com/openssl/openssl/pull/30139)

diff --git a/ssl/ech/ech_store.c b/ssl/ech/ech_store.c
index 6fb1dcd669..c5963347f3 100644
--- a/ssl/ech/ech_store.c
+++ b/ssl/ech/ech_store.c
@@ -705,7 +705,7 @@ int OSSL_ECHSTORE_new_config(OSSL_ECHSTORE *es,
         || !BUF_MEM_grow(epkt_mem, OSSL_ECH_MAX_ECHCONFIG_LEN)
         || !WPACKET_init(&epkt, epkt_mem)) {
         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
-        goto err;
+        goto err_no_epkt;
     }
     /* random config_id */
     if (RAND_bytes_ex(es->libctx, (unsigned char *)&config_id, 1, 0) <= 0) {
@@ -799,10 +799,11 @@ int OSSL_ECHSTORE_new_config(OSSL_ECHSTORE *es,
     return 1;

 err:
+    ossl_echstore_entry_free(ee);
     EVP_PKEY_free(privp);
     WPACKET_cleanup(&epkt);
+err_no_epkt:
     BUF_MEM_free(epkt_mem);
-    ossl_echstore_entry_free(ee);
     return rv;
 }