Fix a valgrind error in chain_reply

construct_reply() references the request after chain_reply has freed it.
(cherry picked from commit 5135ebd6f099518f0a0b5796e8057210be824740)

Addresses bug #6611.
(cherry picked from commit 5c6aa5ce9fb0cc5d63d04b0777d296c82e61c0a5)

2 files changed, 12 insertions, 3 deletions

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 9cae327c6cd..b20a8eff06c 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -659,6 +659,8 @@ struct smb_request {
 	 * state information for async smb handling
 	 */
 	void *async_priv;
+
+	bool done;
 };
 
 /* Defines for the sent_oplock_break field above. */
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 962b4926c88..e1069ebd870 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -377,6 +377,7 @@ void init_smb_request(struct smb_request *req,
 	req->conn = conn_find(req->tid);
 	req->chain_fsp = NULL;
 	req->chain_outbuf = NULL;
+	req->done = false;
 	smb_init_perfcount_data(&req->pcd);
 
 	/* Ensure we have at least wct words and 2 bytes of bcc. */
@@ -1395,6 +1396,11 @@ static void construct_reply(char *inbuf, int size, size_t unread_bytes,
 		req->unread_bytes = 0;
 	}
 
+	if (req->done) {
+		TALLOC_FREE(req);
+		return;
+	}
+
 	if (req->outbuf == NULL) {
 		return;
 	}
@@ -1650,8 +1656,8 @@ void chain_reply(struct smb_request *req)
 			exit_server_cleanly("chain_reply: srv_send_smb "
 					    "failed.");
 		}
-		TALLOC_FREE(req);
-
+		TALLOC_FREE(req->chain_outbuf);
+		req->done = true;
 		return;
 	}
 
@@ -1772,7 +1778,8 @@ void chain_reply(struct smb_request *req)
 			  &req->pcd)) {
 		exit_server_cleanly("construct_reply: srv_send_smb failed.");
 	}
-	TALLOC_FREE(req);
+	TALLOC_FREE(req->chain_outbuf);
+	req->done = true;
 }
 
 /****************************************************************************