Fix use-after-free in DoH write buffer after HTTP/2 send

After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.

Clear the write buffer before freeing the UV request.

(cherry picked from commit 6afc4270e0323a52262802d553dda8233df36d42)

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 93ab90740699702193bf5ac61af225a6d30d016e..82742df510ddd49dd4dc0b09d201a00035eac9dc 100644 (file)
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -2753,6 +2753,8 @@ server_httpsend(isc_nmhandle_t *handle, isc_nmsocket_t *sock,
        } else {
                cb(handle, result, cbarg);
        }
+
+       isc_buffer_initnull(&sock->h2->wbuf);
        isc__nm_uvreq_put(&req);
 }