uac: fix memory corruption from shared tp being freed by another transaction

- Shared memory corruption resulting in multiple process core dumps. Triggered by an outbound REGISTER receiving 401 for all requests which resulted in the shared tp being released in uac_resend_tm_callback whilst the current transaction was put on timer and also used after release and then re-released. In order to avoid sharing the tp I changed the code in uac_send_tm_callback to clone the existing tp. Also added a sanity check for null as tp could be released prior to a dereference of tp->event

(cherry picked from commit d529b511b1ce722ceccf29dc006e92d45f1f340e)

src/modules/uac/uac_send.c

@@ -807,7 +807,7 @@ void uac_send_tm_callback(struct cell *t, int type, struct tmcb_params *ps)
 		/* Callback function */
 		uac_r.cb = uac_resend_tm_callback;
 		/* Callback parameter */
-		uac_r.cbp = (void *)tp;
+		uac_r.cbp = (void *)uac_send_info_clone(tp);
 	}
 	ret = _uac_send_tmb.t_request_within(&uac_r);
 
@@ -816,13 +816,18 @@ void uac_send_tm_callback(struct cell *t, int type, struct tmcb_params *ps)
 		goto error;
 	}
 	if(uac_r.cb_flags & TMCB_LOCAL_REQUEST_DROP) {
+		if(uac_r.cbp != NULL)
+			shm_free(uac_r.cbp);
+
 		shm_free(tp);
 		*ps->param = NULL;
 		tp = NULL;
 	}
 
-	if(tp->evroute != 0) {
-		return;
+	if(tp != NULL) {
+		if(tp->evroute != 0) {
+			return;
+		}
 	}
 
 done: