Fix use-after-free in DoH write buffer after HTTP/2 send

After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.

Clear the write buffer before freeing the UV request.

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 4d8fe48174c3d28e4c4aa5b2190e064f85579555..0055311cb2070e87b85bfb51aed1bd6646579495 100644 (file)
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -2743,6 +2743,8 @@ server_httpsend(isc_nmhandle_t *handle, isc_nmsocket_t *sock,
        } else {
                cb(handle, result, cbarg);
        }
+
+       isc_buffer_initnull(&sock->h2->wbuf);
        isc__nm_uvreq_put(&req);
 }