cbch: Fix bts_smscb_state_reset() to avoid double-free

If the currently transmitted message is the default message,
bts_ss->cur_msg == bts_ss->derfault_msg.  In this case we cannot
simply talloc_free() both of them, as it would result in a boudle-free.

Change-Id: I2d3645e34d31507b012a53ffe12d14223682f808
Closes: OS#5325
Fixes: Ib01d38c59ba9fa083fcc0682009c13d2db3664fe

src/common/cbch.c

@@ -332,7 +332,10 @@ static void bts_smscb_state_reset(struct bts_smscb_state *bts_ss)
 	}
 	bts_ss->queue_len = 0;
 	rate_ctr_group_reset(bts_ss->ctrs);
-	TALLOC_FREE(bts_ss->cur_msg);
+	/* avoid double-free of default_msg in case cur_msg == default_msg */
+	if (bts_ss->cur_msg && bts_ss->cur_msg != bts_ss->default_msg)
+		talloc_free(bts_ss->cur_msg);
+	bts_ss->cur_msg = NULL;
 	TALLOC_FREE(bts_ss->default_msg);
 }