From 637a127f6506db4260584ce3840fb4a6fde9112a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ayd=C4=B1n=20Mercan?= <aydin@isc.org>
Date: Tue, 10 Mar 2026 14:48:02 +0300
Subject: [PATCH] Fix use-after-free in DoH write buffer after HTTP/2 send

After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.

Clear the write buffer before freeing the UV request.

(cherry picked from commit 6afc4270e0323a52262802d553dda8233df36d42)
---
 lib/isc/netmgr/http.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 93ab907406..82742df510 100644
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -2753,6 +2753,8 @@ server_httpsend(isc_nmhandle_t *handle, isc_nmsocket_t *sock,
 	} else {
 		cb(handle, result, cbarg);
 	}
+
+	isc_buffer_initnull(&sock->h2->wbuf);
 	isc__nm_uvreq_put(&req);
 }