nitb/ctrl: Fix access to freed memory in verify_subscriber_modify

Currently the temporary string 'tmp' is freed before parts of it are
referenced. This lets address sanitizer complain when evaluating
strlen(imsi), where imsi points into the 'tmp' data block.

This patch moves the talloc_free to the end of the function and uses
a rc variable instead of using early returns.

Addresses:
testSubscriberAddRemove (__main__.TestCtrlNITB) ... Launch:
./src/osmo-nitb/osmo-nitb -c
  ./doc/examples/osmo-nitb/nanobts/openbsc.cfg -l test_hlr.sqlite3
Connecting to host 127.0.0.1:4249
Sending "SET 1000 subscriber-modify-v1 2620345,445566"
Decoded replies:  {}
ERROR

Sponsored-by: On-Waves ehf

openbsc/src/libmsc/ctrl_commands.c

@@ -27,6 +27,7 @@
 static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, void *d)
 {
 	char *tmp, *imsi, *msisdn, *saveptr = NULL;
+	int rc = 0;
 
 	tmp = talloc_strdup(cmd, value);
 	if (!tmp)
@@ -34,15 +35,16 @@ static int verify_subscriber_modify(struct ctrl_cmd *cmd, const char *value, voi
 
 	imsi = strtok_r(tmp, ",", &saveptr);
 	msisdn = strtok_r(NULL, ",", &saveptr);
-	talloc_free(tmp);
 
 	if (!imsi || !msisdn)
-		return 1;
-	if (strlen(imsi) >= GSM_IMSI_LENGTH)
-		return 1;
-	if (strlen(msisdn) >= GSM_EXTENSION_LENGTH)
-		return 1;
-	return 0;
+		rc = 1;
+	else if (strlen(imsi) >= GSM_IMSI_LENGTH)
+		rc = 1;
+	else if (strlen(msisdn) >= GSM_EXTENSION_LENGTH)
+		rc = 1;
+
+	talloc_free(tmp);
+	return rc;
 }
 
 static int get_subscriber_modify(struct ctrl_cmd *cmd, void *data)