ssl/statem/extensions_srvr.c: free empty rcfgs in tls_construct_stoc_ech()

Free rcfgs before return when rcfgslen is 0, mostly to placate
Coverity, as it is expected to be NULL with the majority of realloc()
implementations.

Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681463
Complements: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:55 2026
(Merged from https://github.com/openssl/openssl/pull/30139)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 51159de03f0ed77b640696a00f967a37350c6af4..a2ec696fa57c90edeeb15444e762a9184efdf46c 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -2591,6 +2591,7 @@ EXT_RETURN tls_construct_stoc_ech(SSL_CONNECTION *s, WPACKET *pkt,
                                 "I've no configs set to be returned\n");
         }
         OSSL_TRACE_END(TLS);
+        OPENSSL_free(rcfgs);
         return EXT_RETURN_NOT_SENT;
     }
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ech)