r2616: the cascading nature of talloc_free() can lead to some surprises. In

this case the bug was that server_terminate_connection() destroys the
server context, which in turn cascades down to destroy all current
request contexts, so we musn't then try to destroy the request
structure a second time.
(This used to be commit 28a647f681e2166c01f7ac59b16305676d5caa71)

diff --git a/source4/smb_server/request.c b/source4/smb_server/request.c
index e3121f839812fcc2674b53a3a7ace95446cd0c95..15e821b32bc13361db6ce42aefb75ec81a647ce5 100644 (file)
--- a/source4/smb_server/request.c
+++ b/source4/smb_server/request.c
@@ -261,6 +261,7 @@ void req_send_reply_nosign(struct smbsrv_request *req)
        status = socket_send(req->smb_conn->connection->socket, req, &tmp_blob, &sendlen, SOCKET_FLAG_BLOCK);
        if (!NT_STATUS_IS_OK(status) || (req->out.size != sendlen)) {
                smbsrv_terminate_connection(req->smb_conn, "failed to send reply\n");
+               return;
        }
 
        req_destroy(req);