ssl/ech/ech_store.c: avoid uninitialised WPACKET use in OSSL_ECHSTORE_new_config

Do not call WPACKET_cleanup() in case of WPACKET_init() failure
and earlier errors.

Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681459
Fixes: 4af71a77387c "ECH CLI implementation"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:51 2026
(Merged from https://github.com/openssl/openssl/pull/30139)

diff --git a/ssl/ech/ech_store.c b/ssl/ech/ech_store.c
index 6fb1dcd66909a068b3bf4b07f84a784c56f88b27..c5963347f3382ea00f1ecb650371e63a6b6cbc1c 100644 (file)
--- a/ssl/ech/ech_store.c
+++ b/ssl/ech/ech_store.c
@@ -705,7 +705,7 @@ int OSSL_ECHSTORE_new_config(OSSL_ECHSTORE *es,
         || !BUF_MEM_grow(epkt_mem, OSSL_ECH_MAX_ECHCONFIG_LEN)
         || !WPACKET_init(&epkt, epkt_mem)) {
         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
-        goto err;
+        goto err_no_epkt;
     }
     /* random config_id */
     if (RAND_bytes_ex(es->libctx, (unsigned char *)&config_id, 1, 0) <= 0) {
@@ -799,10 +799,11 @@ int OSSL_ECHSTORE_new_config(OSSL_ECHSTORE *es,
     return 1;
 
 err:
+    ossl_echstore_entry_free(ee);
     EVP_PKEY_free(privp);
     WPACKET_cleanup(&epkt);
+err_no_epkt:
     BUF_MEM_free(epkt_mem);
-    ossl_echstore_entry_free(ee);
     return rv;
 }