s3-smbd: Fix use after issue in smbd_smb2_request_dispatch()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11581

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 30 19:49:47 CET 2015 on sn-devel-104

(cherry picked from commit db9e10d071793b91b3f3d40225a8634e3c34f65e)

1 files changed, 8 insertions, 7 deletions

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 40f3f2d638c..0ae3fc8fe5b 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1703,13 +1703,6 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req)
 	search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
 	search_async_id = BVAL(inhdr, SMB2_HDR_PID);
 
-	/*
-	 * we don't need the request anymore
-	 * cancel requests never have a response
-	 */
-	DLIST_REMOVE(xconn->smb2.requests, req);
-	TALLOC_FREE(req);
-
 	for (cur = xconn->smb2.requests; cur; cur = cur->next) {
 		const uint8_t *outhdr;
 		uint64_t message_id;
@@ -2350,6 +2343,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 					       req->profile, _INBYTES(req));
 		return_value = smbd_smb2_request_process_cancel(req);
 		SMBPROFILE_IOBYTES_ASYNC_END(req->profile, 0);
+
+		/*
+		 * We don't need the request anymore cancel requests never
+		 * have a response.
+		 */
+		DLIST_REMOVE(xconn->smb2.requests, req);
+		TALLOC_FREE(req);
+
 		break;
 
 	case SMB2_OP_KEEPALIVE: