[Bug] Two UAF related to redsocks_shutdown

[ShangzhiXu]

Describe the issue
I found a UAF bug in http-connection.c, in function httpc_read_cb

To Reproduce
Found it by static analysis~

Expected behavior
In this function, at line 168-169 looks like this

		redsocks_shutdown(client, client->client, SHUT_RD);
		const size_t avail = evbuffer_get_length(client->client->input);
		redsocks_shutdown(client, client->client, SHUT_RD);
		const size_t avail = evbuffer_get_length(client->client->input);
		if (avail) {
			if (evbuffer_drain(client->client->input, avail) != 0) {
				redsocks_log_errno(client, LOG_NOTICE, "evbuffer_drain");
				goto fail;
			}
		}
		redsocks_shutdown(client, client->relay, SHUT_WR);
		client->state = httpc_headers_skipped;

in redsocks_shutdown, there is a possibility of calling redsocks_drop_client(client), in redsocks.c line 790, which looks like this:

if (shut_both(client)) {
		redsocks_log_error(client, LOG_DEBUG, "both client and server disconnected");
		redsocks_drop_client(client);
	}

But after calling redsocks_shutdown above, client was visited many times. So I'm wondering if it might lead to UAF here.

Also, there is another similar problem in redsocks.c
at line 820, we called redsocks_shutdown(client, buffev, SHUT_RD); but in line 824, we visited client->state again.