From 4bab1e7bbd4680f4838a13d495954f1fe39a2f5e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 10 Oct 2014 11:40:14 +0200
Subject: [PATCH] smbd: Fix a use-after-free

We can't reference xconn->next after it was talloc_free'ed

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Oct 10 14:32:53 CEST 2014 on sn-devel-104

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11218

(cherry picked from commit 6d2c8f54e5e87485783b5173aa9f903a79d25443)
---
 source3/smbd/server_exit.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c
index d48a8f2..6a51c24 100644
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -218,7 +218,10 @@ static void exit_server_common(enum server_exit_reason how,
 	 * because smbd_msg_ctx is not a talloc child of smbd_server_conn.
 	 */
 	if (client != NULL) {
-		for (; xconn != NULL; xconn = xconn->next) {
+		struct smbXsrv_connection *next;
+
+		for (; xconn != NULL; xconn = next) {
+			next = xconn->next;
 			DLIST_REMOVE(client->connections, xconn);
 			talloc_free(xconn);
 		}
-- 
1.9.1