Avoid use-after-free on streams, due to message callbacks

When sending outbound stream RPC messages, a callback is
used to re-enable stream data transmission. If the stream
aborts while one of these messages is outstanding, the
stream may have been free'd by the time it is invoked. This
results in a use-after-free error

* daemon/stream.c: Ref-count streams to avoid use-after-free

daemon/stream.c

@@ -38,6 +38,7 @@
 
 struct daemonClientStream {
     daemonClientPrivatePtr priv;
+    int refs;
 
     virNetServerProgramPtr prog;
 
@@ -102,6 +103,8 @@ daemonStreamMessageFinished(virNetMessagePtr msg,
 
     stream->tx = 1;
     daemonStreamUpdateEvents(stream);
+
+    daemonFreeClientStream(NULL, stream);
 }
 
 
@@ -299,6 +302,7 @@ daemonCreateClientStream(virNetServerClientPtr client,
         return NULL;
     }
 
+    stream->refs = 1;
     stream->priv = priv;
     stream->prog = prog;
     stream->procedure = header->proc;
@@ -326,6 +330,10 @@ int daemonFreeClientStream(virNetServerClientPtr client,
     if (!stream)
         return 0;
 
+    stream->refs--;
+    if (stream->refs)
+        return 0;
+
     VIR_DEBUG("client=%p, proc=%d, serial=%d",
               client, stream->procedure, stream->serial);
 
@@ -727,6 +735,7 @@ daemonStreamHandleRead(virNetServerClientPtr client,
         if (msg) {
             msg->cb = daemonStreamMessageFinished;
             msg->opaque = stream;
+            stream->refs++;
             ret = virNetServerProgramSendStreamData(remoteProgram,
                                                     client,
                                                     msg,