rtpengine: fix use-after-free of flags string in bencode dictionary

parse_flags() stores pointers into the pkg-allocated flags_nt.s buffer
via bencode_str() and bencode_dictionary_add_len(), which hold references
(not copies). The buffer was freed via pkg_free() before
send_rtpe_command() serialized the dictionary, causing garbled output
for key=value flags like media-address.

Fix by deferring the free via bencode_buffer_destroy_add(), which
ensures the buffer lives until bencode_buffer_free() is called after
the command is sent.

Fixes: #3784

Author: NormB

modules/rtpengine/rtpengine.c

@@ -2638,6 +2638,8 @@ static int rtpe_check_ignore_node(str *error)
 	return ret;
 }
 
+static void pkg_free_wrapper(void *p) { pkg_free(p); }
+
 static int rtpe_function_call_prepare(bencode_buffer_t *bencbuf, struct sip_msg *msg, enum rtpe_operation op,
          struct ng_flags_parse *ng_flags, str *flags_str, str *body_in, bencode_item_t *extra_dict, char **err)
 {
@@ -2811,8 +2813,12 @@ static int rtpe_function_call_prepare(bencode_buffer_t *bencbuf, struct sip_msg
 		goto error;
 	}
 
+	/* flags_nt.s must remain valid until the bencode buffer is serialized
+	 * and sent, because parse_flags() stores pointers into it (via bencode_str
+	 * and bencode_dictionary_add_len) for key=value flags like media-address.
+	 * Register it for cleanup when the bencode buffer is freed. */
 	if (flags_nt.s)
-		pkg_free(flags_nt.s);
+		bencode_buffer_destroy_add(bencbuf, pkg_free_wrapper, flags_nt.s);
 
 	return 1;