upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix use-after-free in DoH write buffer after HTTP/2 send

Browse source 
After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.

Clear the write buffer before freeing the UV request.

(cherry picked from commit 6afc4270e0323a52262802d553dda8233df36d42)
This commit is contained in:
Aydın Mercan 2026-03-10 14:48:02 +03:00 committed by Michał Kępień
parent a083b4b3cf
commit 637a127f65
No known key found for this signature in database
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/isc/netmgr/http.c
View file

@ -2753,6 +2753,8 @@ server_httpsend(isc_nmhandle_t *handle, isc_nmsocket_t *sock,
} else {
cb(handle, result, cbarg);
}
isc_buffer_initnull(&sock->h2->wbuf);
isc__nm_uvreq_put(&req);
}