s3: smbd: smb2-sessionsetup. Fix use after free when the sessionsetup request state...

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep  8 09:52:23 CEST 2014 on sn-devel-104

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index b31df84dbed642f2adedf51fd1646f385993a28b..69905c48159ef45958dbbff2ad406fdd9fecb6a8 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -476,6 +476,12 @@ static int smbd_smb2_session_setup_state_destructor(struct smbd_smb2_session_set
        state->session->status = NT_STATUS_USER_SESSION_DELETED;
        state->smb2req->session = talloc_move(state->smb2req, &state->session);
 
+       /*
+        * We own the session now - we don't need the
+        * tag talloced on session that keeps track of session independently.
+        */
+       TALLOC_FREE(state->pp_self_ref);
+
        /*
         * We've made this session owned by the current request.
         * Ensure that any outstanding requests don't also refer