Commit e531a13df4 for openssl.org
commit e531a13df407d2f04045a59177a97bf9c744852e
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date: Mon Feb 23 06:28:12 2026 +0100
ssl/statem/statem_srvr.c: avoid WPACKET momory leak in tls_process_client_hello
Call WPACKET_cleanup() in case of a WPACKET_* call error after
successfull WPACKET_init_static_len() before return.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681448
Fixes: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:56 2026
(Merged from https://github.com/openssl/openssl/pull/30139)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 74bd78a859..798567b667 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1691,11 +1691,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt)
goto err;
}
if (!WPACKET_init_static_len(&inner, s->ext.ech.innerch,
- s->ext.ech.innerch_len, 0)
- || !WPACKET_put_bytes_u8(&inner, SSL3_MT_CLIENT_HELLO)
+ s->ext.ech.innerch_len, 0)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ if (!WPACKET_put_bytes_u8(&inner, SSL3_MT_CLIENT_HELLO)
|| !WPACKET_put_bytes_u24(&inner, s->ext.ech.innerch_len - SSL3_HM_HEADER_LENGTH)
|| !WPACKET_memcpy(&inner, pbuf, s->ext.ech.innerch_len - SSL3_HM_HEADER_LENGTH)
|| !WPACKET_finish(&inner)) {
+ WPACKET_cleanup(&inner);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}