rtpengine: fix use-after-free of flags string in bencode dictionary

parse_flags() stores pointers into the pkg-allocated flags_nt.s buffer
via bencode_str() and bencode_dictionary_add_len(), which hold references
(not copies). The buffer was freed via pkg_free() before
send_rtpe_command() serialized the dictionary, causing garbled output
for key=value flags like media-address.

Fix by deferring the free via bencode_buffer_destroy_add(), which
ensures the buffer lives until bencode_buffer_free() is called after
the command is sent.

Fixes: #3784

Author: NormB

modules/rtpengine/rtpengine.c

@@ -2811,8 +2811,12 @@ static int rtpe_function_call_prepare(bencode_buffer_t *bencbuf, struct sip_msg
 		goto error;
 	}
 
+	/* flags_nt.s must remain valid until the bencode buffer is serialized
+	 * and sent, because parse_flags() stores pointers into it (via bencode_str
+	 * and bencode_dictionary_add_len) for key=value flags like media-address.
+	 * Register it for cleanup when the bencode buffer is freed. */
 	if (flags_nt.s)
-		pkg_free(flags_nt.s);
+		bencode_buffer_destroy_add(bencbuf, (free_func_t)pkg_free, flags_nt.s);
 
 	return 1;