Fix double free of stun session

[sauwming]

To fix #2505

Upon investigation, the double free issue is caused by a race condition between pj_stun_session_destroy() and on_cache_timeout(). The race is as follows:

• pj_stun_session_destroy() will call destroy_tdata() and decrement the session's group lock.
• on_cache_timeout() will also call destroy_tdata() and decrement the session's group lock again.

The patch will make sure that the group lock will not be decremented more than once in such case.

Special thanks to Joshua Colp (@jcolp) for his help in testing the patch.
https://gerrit.asterisk.org/c/asterisk/+/15869

[sauwming]

Regarding the latest commit, it's to fix this issue found during testing:

When called from stun_tsx_on_complete(), destroy_tdata(tdata, PJ_FALSE) will mark tdata->is_destroying to PJ_TRUE, but will actually delay the destruction and call pj_stun_client_tsx_schedule_destroy(tdata->client_tsx, &delay) instead.

So the next call to destroy_tdata() will never do anything as it will return in if (tdata->is_destroying) return. Then since it never erases tdata from the list, this will cause an infinite loop such as here:

    while (!pj_list_empty(&sess->pending_request_list)) {
	pj_stun_tx_data *tdata = sess->pending_request_list.next;
	destroy_tdata(tdata, PJ_TRUE);
    }