osmux: fix crash in osmux_snprintf when handling multi-batch messages

valgrind reports the following crash backtrace:

!<001c> osmux.c:687 No room for OSMUX payload: only 49 bytes
==12800==
==12800== Process terminating with default action of signal 11 (SIGSEGV)
==12800==  Access not within mapped region at address 0xDFA8E473
==12800==    at 0x4073FD2: osmux_snprintf (osmux.c:628)
==12800==    by 0x80524F1: osmux_deliver (osmux.c:50)
==12800==    by 0x407371C: osmux_xfrm_input_deliver (osmux.c:302)
==12800==    by 0x4073792: osmux_batch_timer_expired (osmux.c:312)
==12800==    by 0x405A4A0: osmo_timers_update (timer.c:243)
==12800==    by 0x405A79A: osmo_select_main (select.c:133)
==12800==    by 0x8049A53: main (mgcp_main.c:307)

The problem is that osmux_snprintf() is not handling multi-batch
messages (ie. messages that contain several osmux batches). More
specifically, the offset to print the osmux batches was reset
when parsing every osmux batch.

The problem also manifested with wrong outputs.

Reported by Mattias Lundstrom.

src/osmux.c

@@ -661,7 +661,7 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
 	unsigned int offset = 0;
 	int msg_len = msg->len, len = size;
 	struct osmux_hdr *osmuxh;
-	int this_len = 0;
+	int this_len, msg_off = 0;
 
 	while (msg_len > 0) {
 		if (msg_len < sizeof(struct osmux_hdr)) {
@@ -670,7 +670,7 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
 			     msg_len);
 			return -1;
 		}
-		osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + this_len);
+		osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + msg_off);
 
 		ret = osmux_snprintf_header(buf+offset, size, osmuxh);
 		if (ret < 0)
@@ -679,6 +679,7 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
 
 		this_len = sizeof(struct osmux_hdr) +
 			   osmux_get_payload_len(osmuxh);
+		msg_off += this_len;
 
 		if (msg_len < this_len) {
 			LOGP(DLMIB, LOGL_ERROR,