s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv().

cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
frees req, then uses the state pointer which was owned by req.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144

1 files changed, 6 insertions, 2 deletions

diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 628b17b293b..78f61fbedd4 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
 {
 	struct cli_smb2_close_fnum_state *state = tevent_req_data(
 		req, struct cli_smb2_close_fnum_state);
-	NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
-	state->cli->raw_status = status;
+	NTSTATUS status = NT_STATUS_OK;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		state->cli->raw_status = status;
+	}
+	tevent_req_received(req);
 	return status;
 }