next_branches(): Fix bugs leading to READ on freed shared memory

This patch fixes two code paths leading to the @avp pointer being freed,
after which the dangling pointer is read afterwards by the
search_next_avp() function at the "done" goto label.  This will work
99% of the time, until the 1% where it won't (crash and burn!).

Many thanks to Richard Revels (@rrevels-bw) and Sebastien Couture for
an accurate report, as well as their involvement in troubleshooting!

Fixes #2446
Fixes #2950

Author: liviuchircu

serialize.c

@@ -281,7 +281,7 @@ int next_branches( struct sip_msg *msg)
 	qvalue_t q;
 	str uri, dst_uri, path, path_dst;
 	char *p;
-	unsigned int flags;
+	unsigned int flags, last_parallel_fork;
 	int rval;
 
 	if (route_type != REQUEST_ROUTE && route_type != FAILURE_ROUTE ) {
@@ -355,16 +355,14 @@ int next_branches( struct sip_msg *msg)
 				path.len, path.s,
 				q, flags, avp->flags);
 
-
-	if (avp->flags & Q_FLAG) {
-		destroy_avp(avp);
-		goto done;
-	}
-
+	last_parallel_fork = (avp->flags & Q_FLAG);
 	prev = avp;
-	avp = search_next_avp(prev, &val);
+	avp = search_next_avp(avp, &val);
 	destroy_avp(prev);
 
+	if (last_parallel_fork)
+		goto done;
+
 	/* Append branches until out of branches or Q_FLAG is set */
 	while (avp != NULL) {
 
@@ -404,19 +402,18 @@ int next_branches( struct sip_msg *msg)
 			goto error1;
 		}
 
-		if (avp->flags & Q_FLAG) {
-			destroy_avp(avp);
-			goto done;
-		}
-
+		last_parallel_fork = (avp->flags & Q_FLAG);
 		prev = avp;
-		avp = search_next_avp(prev, &val);
+		avp = search_next_avp(avp, &val);
 		destroy_avp(prev);
+
+		if (last_parallel_fork)
+			goto done;
 	}
 
 	return 2;
 done:
-	return (search_next_avp(avp, NULL)==NULL)?2:1;
+	return avp ? 1 : 2;
 error1:
 	destroy_avp(avp);
 error: