Fix a crash bug found by Ira Cooper <samba@ira.wakeful.net>.

[kamenim/samba.git] / source3 / smbd / smb2_server.c

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index b081b6a25769e3d99baafa182224258ded4c014c..7a2a32a9dce1078e505a44cea27f2a70bf858d1b 100644 (file)
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -156,10 +156,6 @@ static int smbd_smb2_request_parent_destructor(struct smbd_smb2_request **req)
 
 static int smbd_smb2_request_destructor(struct smbd_smb2_request *req)
 {
-       if (req->out.vector) {
-               DLIST_REMOVE(req->sconn->smb2.requests, req);
-       }
-
        if (req->parent) {
                *req->parent = NULL;
                talloc_free(req->mem_pool);
@@ -1245,6 +1241,11 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
                return NT_STATUS_NO_MEMORY;
        }
        tevent_req_set_callback(subreq, smbd_smb2_request_writev_done, req);
+       /*
+        * We're done with this request -
+        * move it off the "being processed" queue.
+        */
+       DLIST_REMOVE(req->sconn->smb2.requests, req);
 
        return NT_STATUS_OK;
 }