From cfee49ee9054a238bda686666ac6e471fbbfca10 Mon Sep 17 00:00:00 2001
From: Martin Blix Grydeland <martin@varnish-software.com>
Date: Wed, 20 Aug 2025 13:22:15 +0200
Subject: H2: Use the correct queue context when sending rapid reset goaway

When queing for send during rapid reset handling on incoming frame, it is
`h2->req0` that should be used for queueing, not the `struct h2_req` of
the stream for which we are handling the incoming frame. This error would
lead to the queue structure becoming corrupted.

Fixes: #4380

diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index b8c3535a33..4265da7df4 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -408,9 +408,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 	if (r2 == NULL)
 		return (0);
 	if (h2_rapid_reset_check(wrk, h2, r2)) {
-		H2_Send_Get(wrk, h2, r2);
-		h2e = h2_rapid_reset_charge(wrk, h2, r2);
-		H2_Send_Rel(h2, r2);
+		H2_Send_Get(wrk, h2, h2->req0);
+		h2e = h2_rapid_reset_charge(wrk, h2, h2->req0);
+		H2_Send_Rel(h2, h2->req0);
 	}
 	h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data)));
 	return (h2e);
