s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv().

cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
frees req, then uses the state pointer which was owned by req.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144

(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787)

Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Tue Dec  5 14:29:20 CET 2017 on sn-devel-144

diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 247f4431e57e9fbe41082889155470f180e15381..bf80cd2a1938179be45eebd978d9735030ee392f 100644 (file)
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
 {
        struct cli_smb2_close_fnum_state *state = tevent_req_data(
                req, struct cli_smb2_close_fnum_state);
-       NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
-       state->cli->raw_status = status;
+       NTSTATUS status = NT_STATUS_OK;
+
+       if (tevent_req_is_nterror(req, &status)) {
+               state->cli->raw_status = status;
+       }
+       tevent_req_received(req);
        return status;
 }