s3-smbd: Fix use after issue in smbd_smb2_request_dispatch()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11581

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 30 19:49:47 CET 2015 on sn-devel-104

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index a31a6e21881df8342a76c0089f82fc9367e19e88..2692fb8d112db920fcaf888c1dd07c605e148525 100644 (file)
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1705,13 +1705,6 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req)
        search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
        search_async_id = BVAL(inhdr, SMB2_HDR_PID);
 
-       /*
-        * we don't need the request anymore
-        * cancel requests never have a response
-        */
-       DLIST_REMOVE(xconn->smb2.requests, req);
-       TALLOC_FREE(req);
-
        for (cur = xconn->smb2.requests; cur; cur = cur->next) {
                const uint8_t *outhdr;
                uint64_t message_id;
@@ -2368,6 +2361,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
                                               req->profile, _INBYTES(req));
                return_value = smbd_smb2_request_process_cancel(req);
                SMBPROFILE_IOBYTES_ASYNC_END(req->profile, 0);
+
+               /*
+                * We don't need the request anymore cancel requests never
+                * have a response.
+                */
+               DLIST_REMOVE(xconn->smb2.requests, req);
+               TALLOC_FREE(req);
+
                break;
 
        case SMB2_OP_KEEPALIVE: