From e1606b6089c4f272a2bf9c64ceaefd4f137da950 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 29 Nov 2017 09:21:30 -0800
Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in
 cli_smb2_close_fnum_recv().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
frees req, then uses the state pointer which was owned by req.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
---
 source3/libsmb/cli_smb2_fnum.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 628b17b293b..78f61fbedd4 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
 {
 	struct cli_smb2_close_fnum_state *state = tevent_req_data(
 		req, struct cli_smb2_close_fnum_state);
-	NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
-	state->cli->raw_status = status;
+	NTSTATUS status = NT_STATUS_OK;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		state->cli->raw_status = status;
+	}
+	tevent_req_received(req);
 	return status;
 }
 
-- 
2.15.0.531.g2ccb3012c9-goog