Fix incorrect assertions and possible use-after-free in evrpc_free()

Original description:

  The following patch fixes incorrect assertions in evrpc_free():
  evrpc_unregister_rpc() and evrpc_remove_hook() return 0 for success.

  Also, in evrpc_unregister_rpc(), it is better to free RPC structure
  at the end: evrpc_free() uses rpc->uri as "name" parameter when
  calling evrpc_unregister_rpc(), then rpc->uri is freed, but we have
  "registered_uri = evrpc_construct_uri(name)". So at this time "name"
  is invalid.

1 files changed, 4 insertions, 4 deletions

diff --git a/evrpc.c b/evrpc.c
index 9d692994..e11892dc 100644
--- a/evrpc.c
+++ b/evrpc.c
@@ -98,7 +98,7 @@ evrpc_free(struct evrpc_base *base)
 
 	while ((rpc = TAILQ_FIRST(&base->registered_rpcs)) != NULL) {
 		r = evrpc_unregister_rpc(base, rpc->uri);
-		EVUTIL_ASSERT(r);
+		EVUTIL_ASSERT(r == 0);
 	}
 	while ((pause = TAILQ_FIRST(&base->paused_requests)) != NULL) {
 		TAILQ_REMOVE(&base->paused_requests, pause, next);
@@ -263,9 +263,6 @@ evrpc_unregister_rpc(struct evrpc_base *base, const char *name)
 	}
 	TAILQ_REMOVE(&base->registered_rpcs, rpc, next);
 
-	mm_free((char *)rpc->uri);
-	mm_free(rpc);
-
 	registered_uri = evrpc_construct_uri(name);
 
 	/* remove the http server callback */
@@ -273,6 +270,9 @@ evrpc_unregister_rpc(struct evrpc_base *base, const char *name)
 	EVUTIL_ASSERT(r == 0);
 
 	mm_free(registered_uri);
+
+	mm_free((char *)rpc->uri);
+	mm_free(rpc);
 	return (0);
 }