From 4d16a8c9f2d9a5e88cd4588246d51eb5731d3b27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ayd=C4=B1n=20Mercan?= <aydin@isc.org>
Date: Tue, 10 Mar 2026 14:48:02 +0300
Subject: [PATCH] Fix use-after-free in DoH write buffer after HTTP/2 send

After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.

Clear the write buffer before freeing the UV request.
---
 lib/isc/netmgr/http.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 4d8fe48174..0055311cb2 100644
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -2743,6 +2743,8 @@ server_httpsend(isc_nmhandle_t *handle, isc_nmsocket_t *sock,
 	} else {
 		cb(handle, result, cbarg);
 	}
+
+	isc_buffer_initnull(&sock->h2->wbuf);
 	isc__nm_uvreq_put(&req);
 }