exmdb_client: fix crash when replacing old connections

==774==ERROR: AddressSanitizer: global-buffer-overflow; READ of size 1
    f0 _M_reset /usr/include/c++/15/optional:337
    f4 ~remote_svr lib/exmdb_client.cpp:82
    f9 erase /usr/include/c++/15/bits/list.tcc:153
    f10 exmdb_client_get_connection lib/exmdb_client.cpp:475

Fix these issues:

* The inside of the loop referenced `i`, which is not right; the
  iterator is `j`.
* `mdcl_server_list.erase(j.base())`: the iterator was not secured
  against removal of the element it points to.
* The loop ran in the wrong direction (from the end - where `i`
  was just added previously).

Fixes: gromox-3.4-160-g242b86036

Author: jengelh

lib/exmdb_client.cpp

@@ -464,16 +464,22 @@ static remote_conn_ref exmdb_client_get_connection(const char *dir)
 		i->conn_list.pop_front();
 	}
 	if (g_exmdbcl_active_handles >= mdcl_conn_max) {
-		/*
-		 * Try closing an older connection. But do not touch async
-		 * notifier threads, they are kind of separate anyway.
-		 */
-		for (auto j = mdcl_server_list.rbegin(); j != mdcl_server_list.rend(); ++j) {
-			if (i->conn_list.size() > 0)
-				i->conn_list.pop_back();
-			if (i->conn_list.empty() && !i->m_agent.has_value())
-				mdcl_server_list.erase(j.base());
-			break;
+		/* Try closing one older connection. */
+		for (auto j = mdcl_server_list.begin(); j != i; ) {
+			bool do_pop = j->conn_list.size() > 0;
+			if (do_pop)
+				j->conn_list.pop_back();
+			/* Do not touch async notifier threads, they are kind of separate anyway. */
+			auto clean = j->conn_list.empty() && !j->m_agent.has_value();
+			if (do_pop) {
+				if (clean)
+					mdcl_server_list.erase(j);
+				break;
+			}
+			if (clean)
+				j = mdcl_server_list.erase(j);
+			else
+				++j;
 		}
 	}
 	if (g_exmdbcl_active_handles >= mdcl_conn_max) {