fix crash from Conn use after free and double-free

fixes #159

conn.c

@@ -241,6 +241,5 @@ connclose(Conn *c)
         heapremove(&c->srv->conns, c->tickpos);
     }
 
-    protrmdirty(c);
     free(c);
 }

dat.h

@@ -248,7 +248,6 @@ extern size_t job_data_size_limit;
 
 void prot_init(void);
 int64 prottick(Server *s);
-void protrmdirty(Conn*);
 
 Conn *remove_waiting_conn(Conn *c);
 

integ-test.c

@@ -340,6 +340,19 @@ cttestunderscore()
 }
 
 
+void
+cttest2cmdpacket()
+{
+    port = SERVER();
+    fd = mustdiallocal(port);
+    mustsend(fd, "use a\r\nuse b\r\n");
+    ckresp(fd, "USING a\r\n");
+    ckresp(fd, "USING b\r\n");
+
+    killsrv();
+}
+
+
 void
 cttesttoobig()
 {

prot.c

@@ -109,6 +109,7 @@ size_t job_data_size_limit = JOB_DATA_SIZE_LIMIT_DEFAULT;
 #define STATE_SENDWORD 3
 #define STATE_WAIT 4
 #define STATE_BITBUCKET 5
+#define STATE_CLOSE 6
 
 #define OP_UNKNOWN 0
 #define OP_PUT 1
@@ -300,7 +301,7 @@ reply(Conn *c, char *line, int len, int state)
 }
 
 
-void
+static void
 protrmdirty(Conn *c)
 {
     Conn *x, *newdirty = NULL;
@@ -706,7 +707,7 @@ check_err(Conn *c, const char *s)
     if (errno == EWOULDBLOCK) return;
 
     twarn("%s", s);
-    connclose(c);
+    c->state = STATE_CLOSE;
     return;
 }
 
@@ -1568,7 +1569,7 @@ dispatch_cmd(Conn *c)
         reply_line(c, STATE_SENDWORD, "WATCHING %zu\r\n", c->watch.used);
         break;
     case OP_QUIT:
-        connclose(c);
+        c->state = STATE_CLOSE;
         break;
     case OP_PAUSE_TUBE:
         op_ct[type]++;
@@ -1684,9 +1685,13 @@ conn_data(Conn *c)
     case STATE_WANTCOMMAND:
         r = read(c->sock.fd, c->cmd + c->cmd_read, LINE_BUF_SIZE - c->cmd_read);
         if (r == -1) return check_err(c, "read()");
-        if (r == 0) return connclose(c); /* the client hung up */
+        if (r == 0) {
+            c->state = STATE_CLOSE;
+            return;
+        }
 
         c->cmd_read += r; /* we got some bytes */
+        fprintf(stderr, "r %d\n", r);
 
         c->cmd_len = cmd_len(c); /* find the EOL */
 
@@ -1709,7 +1714,10 @@ conn_data(Conn *c)
         to_read = min(c->in_job_read, BUCKET_BUF_SIZE);
         r = read(c->sock.fd, bucket, to_read);
         if (r == -1) return check_err(c, "read()");
-        if (r == 0) return connclose(c); /* the client hung up */
+        if (r == 0) {
+            c->state = STATE_CLOSE;
+            return;
+        }
 
         c->in_job_read -= r; /* we got some bytes */
 
@@ -1724,7 +1732,10 @@ conn_data(Conn *c)
 
         r = read(c->sock.fd, j->body + c->in_job_read, j->r.body_size -c->in_job_read);
         if (r == -1) return check_err(c, "read()");
-        if (r == 0) return connclose(c); /* the client hung up */
+        if (r == 0) {
+            c->state = STATE_CLOSE;
+            return;
+        }
 
         c->in_job_read += r; /* we got some bytes */
 
@@ -1735,7 +1746,10 @@ conn_data(Conn *c)
     case STATE_SENDWORD:
         r= write(c->sock.fd, c->reply + c->reply_sent, c->reply_len - c->reply_sent);
         if (r == -1) return check_err(c, "write()");
-        if (r == 0) return connclose(c); /* the client hung up */
+        if (r == 0) {
+            c->state = STATE_CLOSE;
+            return;
+        }
 
         c->reply_sent += r; /* we got some bytes */
 
@@ -1755,7 +1769,10 @@ conn_data(Conn *c)
 
         r = writev(c->sock.fd, iov, 2);
         if (r == -1) return check_err(c, "writev()");
-        if (r == 0) return connclose(c); /* the client hung up */
+        if (r == 0) {
+            c->state = STATE_CLOSE;
+            return;
+        }
 
         /* update the sent values */
         c->reply_sent += r;
@@ -1823,6 +1840,10 @@ h_conn(const int fd, const short which, Conn *c)
 
     conn_data(c);
     while (cmd_data_ready(c) && (c->cmd_len = cmd_len(c))) do_cmd(c);
+    if (c->state == STATE_CLOSE) {
+        protrmdirty(c);
+        connclose(c);
+    }
     update_conns();
 }