r1121: Fix memory leak in the trans2 signing code.

We would start the trans2 state, which is fine, but never pull the
expected reply off the packet queue.

I'm not sure if this is still a major problem after jra's recent 'no
duplicate mids on the list' change, but I think this is correct
anyway.
(This used to be commit ee23a4237d427ce72d6a8c5f180ef48d6454cddc)

1 files changed, 10 insertions, 2 deletions

diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index 868c991c16..8c59e49ebb 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -497,6 +497,7 @@ BOOL cli_simple_set_signing(struct cli_state *cli,
 void cli_signing_trans_start(struct cli_state *cli, uint16 mid)
 {
 	struct smb_basic_signing_context *data = cli->sign_info.signing_context;
+	uint32 reply_seq_num;
 
 	if (!cli->sign_info.doing_signing || !data)
 		return;
@@ -504,9 +505,16 @@ void cli_signing_trans_start(struct cli_state *cli, uint16 mid)
 	data->trans_info = smb_xmalloc(sizeof(struct trans_info_context));
 	ZERO_STRUCTP(data->trans_info);
 
-	data->trans_info->send_seq_num = data->send_seq_num-2;
+	/* This ensures the sequence is pulled off the outstanding packet list */
+	if (!get_sequence_for_reply(&data->outstanding_packet_list, 
+				    mid, &reply_seq_num)) {
+		DEBUG(1, ("get_sequence_for_reply failed - did we enter the trans signing state without sending a packet?\n")); 
+	    return;
+	}
+
+	data->trans_info->send_seq_num = reply_seq_num - 1;
 	data->trans_info->mid = mid;
-	data->trans_info->reply_seq_num = data->send_seq_num-1;
+	data->trans_info->reply_seq_num = reply_seq_num;
 
 	DEBUG(10,("cli_signing_trans_start: storing mid = %u, reply_seq_num = %u, send_seq_num = %u \
 data->send_seq_num = %u\n",