smbd: Fix a use-after-free

We can't reference xconn->next after it was talloc_free'ed

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Oct 10 14:32:53 CEST 2014 on sn-devel-104

diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c
index d48a8f283d298248f1c769f48866b7b6271000ec..6a51c24f549984f0ef7e21160661f49e18cdb762 100644 (file)
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -218,7 +218,10 @@ static void exit_server_common(enum server_exit_reason how,
         * because smbd_msg_ctx is not a talloc child of smbd_server_conn.
         */
        if (client != NULL) {
-               for (; xconn != NULL; xconn = xconn->next) {
+               struct smbXsrv_connection *next;
+
+               for (; xconn != NULL; xconn = next) {
+                       next = xconn->next;
                        DLIST_REMOVE(client->connections, xconn);
                        talloc_free(xconn);
                }