I am not a 100% sure but I think s->s3 control structure is not being freed in case of app enabling OPENSSL_NO_SSL3 patch code. Ssl23_get_client_hello will return with s->method==NULL. SSL_free will skip over ssl3_free. 0.9.8zc might be leaking more than just s->s3. ( may be dgst msgs). Please correct me if I am wrong.
Thanks,
Vyas.