From 3b0572bf91a527674459427c761d45361e40d3ec Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 28 Mar 2009 19:58:45 +0100 Subject: Fix smbd crash for close_on_completion handle_trans() can talloc_free "conn" if the client requests close_on_completion. "state" is a talloc_child of conn, so it will be gone when we later free state->data et al. --- source3/smbd/ipc.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/smbd') diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index d39aab4f47..2d5713590d 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -754,6 +754,8 @@ void reply_trans(struct smb_request *req) return; } + talloc_steal(talloc_tos(), state); + handle_trans(conn, req, state); SAFE_FREE(state->data); @@ -852,6 +854,8 @@ void reply_transs(struct smb_request *req) return; } + talloc_steal(talloc_tos(), state); + handle_trans(conn, req, state); DLIST_REMOVE(conn->pending_trans, state); -- cgit