Use-after-free when sending (discarding) responses on closed connections

[redlicha]

• discovered when testing with error injection via netem
• keepalive mechanism eventually leads to connection termination
• pending responses are discarded via xio_send_response as the client code finished processing these which might happen after a XIO_SESSION_CONNECTION_TEARDOWN_EVENT which in turn leads to the on_msg_error callback getting invoked
• client code frees up the messages in the on_msg_error code
• xio_send_response:

if (unlikely(
		      connection->disconnecting ||
		      (connection->state != XIO_CONNECTION_STATE_ONLINE &&
		       connection->state != XIO_CONNECTION_STATE_ESTABLISHED &&
		       connection->state != XIO_CONNECTION_STATE_INIT))) {
			/* we discard the response as connection is not active
			 * anymore
			 */
			xio_set_error(XIO_ESHUTDOWN);
			xio_tasks_pool_put(task);

			xio_session_notify_msg_error(connection, pmsg,
						     XIO_E_MSG_DISCARDED,
						     XIO_MSG_DIRECTION_OUT);

			pmsg = pmsg->next; 
			continue;

pmsg is dereferenced after the on_msg_error callback (via xio_session_notify_msg_error)

• related: sending / discarding the last response after a connection teardown leads to the client code invoking xio_connection_destroy which in turn triggers a use-after-free in xio_send_response when dereferencing connection at a later point:

send:

	/* do not xmit until connection is assigned */
	if (connection && xio_is_connection_online(connection)) {
		if (xio_connection_xmit(connection)) {