Fix smbd crash for close_on_completion

handle_trans() can talloc_free "conn" if the client requests
close_on_completion. "state" is a talloc_child of conn, so it will be gone when
we later free state->data et al.
(cherry picked from commit e9457c598e25ededb48b73d7dc5ab0f6295ea399)

diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index f20c8512975c573c6987896ce42fb36630aba271..5fd756e384b03e0b3ee14a0a1fc84c5b535031a4 100644 (file)
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -750,6 +750,8 @@ void reply_trans(struct smb_request *req)
                return;
        }
 
+       talloc_steal(talloc_tos(), state);
+
        handle_trans(conn, req, state);
 
        SAFE_FREE(state->data);
@@ -848,6 +850,8 @@ void reply_transs(struct smb_request *req)
                return;
        }
 
+       talloc_steal(talloc_tos(), state);
+
        handle_trans(conn, req, state);
 
        DLIST_REMOVE(conn->pending_trans, state);