Fix use after free() in builtin-fetch

As reported by Dave Jones:

Since master.kernel.org updated to latest, I noticed that I could crash
git-fetch by doing this..

export KERNEL=/pub/scm/linux/kernel/git/
git fetch $KERNEL/torvalds/linux-2.6 master:linus

(gdb) bt
 0  0x000000349fd6d44b in free () from /lib64/libc.so.6
 1  0x000000000048f4eb in transport_unlock_pack (transport=0x7ce530) at transport.c:811
 2  0x000000349fd31b25 in exit () from /lib64/libc.so.6
 3  0x00000000004043d8 in handle_internal_command (argc=3, argv=0x7fffea4449f0) at git.c:379
 4  0x0000000000404547 in main (argc=3, argv=0x7fffea4449f0) at git.c:443
 5  0x000000349fd1c784 in __libc_start_main () from /lib64/libc.so.6
 6  0x0000000000403ef9 in ?? ()
 7  0x00007fffea4449d8 in ?? ()
 8  0x0000000000000000 in ?? ()

I then remembered, my .bashrc has this..

export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))

which is handy for showing up such bugs.

More info on this glibc feature is at http://udrepper.livejournal.com/11429.html

Signed-off-by: Alex Riesen <[email protected]>
Signed-off-by: Junio C Hamano <[email protected]>

Author: raalkml

builtin-fetch.c

@@ -577,8 +577,6 @@ static int do_fetch(struct transport *transport,
 		free_refs(ref_map);
 	}
 
-	transport_disconnect(transport);
-
 	return 0;
 }
 
@@ -599,6 +597,7 @@ int cmd_fetch(int argc, const char **argv, const char *prefix)
 	int i;
 	static const char **refs = NULL;
 	int ref_nr = 0;
+	int exit_code;
 
 	/* Record the command line for the reflog */
 	strbuf_addstr(&default_rla, "fetch");
@@ -652,6 +651,9 @@ int cmd_fetch(int argc, const char **argv, const char *prefix)
 
 	signal(SIGINT, unlock_pack_on_signal);
 	atexit(unlock_pack);
-	return do_fetch(transport,
+	exit_code = do_fetch(transport,
 			parse_fetch_refspec(ref_nr, refs), ref_nr);
+	transport_disconnect(transport);
+	transport = NULL;
+	return exit_code;
 }