From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Mon, 23 Feb 2026 03:18:17 +0000 (+0100)
Subject: apps/s_server.c: free ECH storage in ech_load_dir() on return
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08f6739dfa742cebddd54e1827dbc7520a424420;p=thirdparty%2Fopenssl.git

apps/s_server.c: free ECH storage in ech_load_dir() on return

The ECH storage is to be freed on both error and success paths,
as it is copied by SSL_CTX_set1_echstore().

Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681454
Fixes: a2e5848d9d11 "s_client and s_server options for ECH"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:38 2026
(Merged from https://github.com/openssl/openssl/pull/30139)
---

diff --git a/apps/s_server.c b/apps/s_server.c
index 615a9df747..07717e7537 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1574,6 +1574,7 @@ static int ech_load_dir(SSL_CTX *lctx, const char *thedir,
     OSSL_ECHSTORE *es = NULL;
     BIO *in = NULL;
     int loaded = 0;
+    int ret = 0;
 
     /*
      * If you change the output to bio_s_out here you may
@@ -1624,13 +1625,18 @@ static int ech_load_dir(SSL_CTX *lctx, const char *thedir,
     }
     if (SSL_CTX_set1_echstore(lctx, es) != 1) {
         BIO_puts(bio_err, "ECH: Internal error\n");
-        return 0;
+        goto end;
     }
     if (bio_s_out != NULL)
         BIO_printf(bio_s_out, "Added %d ECH key pairs from: %s\n",
             loaded, thedir);
     *nloaded = loaded;
-    return 1;
+    ret = 1;
+
+end:
+    OSSL_ECHSTORE_free(es);
+
+    return ret;
 }
 #endif