upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-08 17:52:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix use-after-free in DoH write buffer after HTTP/2 send

Browse source 
After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.

Clear the write buffer before freeing the UV request.
This commit is contained in:
Aydın Mercan 2026-03-10 14:48:02 +03:00 committed by Michał Kępień
parent b794b4eeed
commit 4d16a8c9f2
No known key found for this signature in database
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/isc/netmgr/http.c
View file

@ -2743,6 +2743,8 @@ server_httpsend(isc_nmhandle_t *handle, isc_nmsocket_t *sock,
} else {
cb(handle, result, cbarg);
}
isc_buffer_initnull(&sock->h2->wbuf);
isc__nm_uvreq_put(&req);
}