s3:smb2cli_base: fix memory hierachy in smb2cli_req_recv()

We need to use talloc_reference() if there're more than one
response, but we use it in a way that the caller can't
call talloc_free() or talloc_unlink() on it.

metze

1 files changed, 5 insertions, 4 deletions

diff --git a/source3/libsmb/smb2cli_query_directory.c b/source3/libsmb/smb2cli_query_directory.c
index fc6c0b79a0..554b267927 100644
--- a/source3/libsmb/smb2cli_query_directory.c
+++ b/source3/libsmb/smb2cli_query_directory.c
@@ -27,7 +27,7 @@
 
 struct smb2cli_query_directory_state {
 	uint8_t fixed[32];
-	uint8_t *inbuf;
+	struct iovec *recv_iov;
 	uint8_t *data;
 	uint32_t data_length;
 };
@@ -97,7 +97,7 @@ static void smb2cli_query_directory_done(struct tevent_req *subreq)
 	struct iovec *iov;
 	uint16_t data_offset;
 
-	status = smb2cli_req_recv(subreq, talloc_tos(), &iov, 9);
+	status = smb2cli_req_recv(subreq, state, &iov, 9);
 	if (tevent_req_nterror(req, status)) {
 		return;
 	}
@@ -110,7 +110,8 @@ static void smb2cli_query_directory_done(struct tevent_req *subreq)
 		tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
 		return;
 	}
-	state->inbuf = smb2cli_req_inbuf(subreq);
+
+	state->recv_iov = iov;
 	state->data = (uint8_t *)iov[2].iov_base;
 	tevent_req_done(req);
 }
@@ -128,7 +129,7 @@ NTSTATUS smb2cli_query_directory_recv(struct tevent_req *req,
 	if (tevent_req_is_nterror(req, &status)) {
 		return status;
 	}
-	talloc_steal(mem_ctx, state->inbuf);
+	talloc_steal(mem_ctx, state->recv_iov);
 	*data_length = state->data_length;
 	*data = state->data;
 	return NT_STATUS_OK;