From 4190dbe13bf473ba7b8aea8503145d38e77abaea Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 28 Mar 2009 19:58:45 +0100
Subject: [PATCH] Fix smbd crash for close_on_completion

handle_trans() can talloc_free "conn" if the client requests
close_on_completion. "state" is a talloc_child of conn, so it will be gone when
we later free state->data et al.
(cherry picked from commit 1b7e108cc50a35fa1c15cf4a46f970306efdd1a3)
---
 source/smbd/ipc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index ac5950ec09a..5c9f9f63d90 100644
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -661,6 +661,8 @@ void reply_trans(struct smb_request *req)
 		return;
 	}
 
+	talloc_steal(talloc_tos(), state);
+
 	handle_trans(conn, req, state);
 
 	SAFE_FREE(state->data);
@@ -790,6 +792,8 @@ void reply_transs(struct smb_request *req)
          */
         SCVAL(req->inbuf,smb_com,SMBtrans);
 
+	talloc_steal(talloc_tos(), state);
+
 	handle_trans(conn, req, state);
 
 	DLIST_REMOVE(conn->pending_trans, state);
-- 
2.11.4.GIT