ssl/statem/statem_srvr.c: avoid WPACKET momory leak in tls_process_client_hello

Call WPACKET_cleanup() in case of a WPACKET_* call error after
successfull WPACKET_init_static_len() before return.

Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681448
Fixes: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:56 2026
(Merged from https://github.com/openssl/openssl/pull/30139)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 74bd78a859c60a2cece7a7bf2a387487cbbfc1bd..798567b667afceca1f40ff3a9ec51051f1ad4ce4 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1691,11 +1691,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt)
                 goto err;
             }
             if (!WPACKET_init_static_len(&inner, s->ext.ech.innerch,
-                    s->ext.ech.innerch_len, 0)
-                || !WPACKET_put_bytes_u8(&inner, SSL3_MT_CLIENT_HELLO)
+                    s->ext.ech.innerch_len, 0)) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+                goto err;
+            }
+            if (!WPACKET_put_bytes_u8(&inner, SSL3_MT_CLIENT_HELLO)
                 || !WPACKET_put_bytes_u24(&inner, s->ext.ech.innerch_len - SSL3_HM_HEADER_LENGTH)
                 || !WPACKET_memcpy(&inner, pbuf, s->ext.ech.innerch_len - SSL3_HM_HEADER_LENGTH)
                 || !WPACKET_finish(&inner)) {
+                WPACKET_cleanup(&inner);
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                 goto err;
             }