Fix: use-after-free after ClientNetworkCoordinatorSocketHandler::CloseAllConnections() (#9534)

The function clears all stun-handlers. This causes all of those
objects to be destroyed.
A handler can have a pending connecter, which was only killed in
case CloseConnection() was called. This is never the case when
the object is destroyed. In result, the connecter could finish
and cause a use-after-free by calling into the (now deleted)
handler.

src/network/network_turn.cpp

@@ -108,9 +108,7 @@ NetworkRecvStatus ClientNetworkTurnSocketHandler::CloseConnection(bool error)
 {
 	NetworkTurnSocketHandler::CloseConnection(error);
 
-	/* If our connecter is still pending, shut it down too. Otherwise the
-	 * callback of the connecter can call into us, and our object is most
-	 * likely about to be destroyed. */
+	/* Also make sure any pending connecter is killed ASAP. */
 	if (this->connecter != nullptr) {
 		this->connecter->Kill();
 		this->connecter = nullptr;
@@ -119,6 +117,14 @@ NetworkRecvStatus ClientNetworkTurnSocketHandler::CloseConnection(bool error)
 	return NETWORK_RECV_STATUS_OKAY;
 }
 
+ClientNetworkTurnSocketHandler::~ClientNetworkTurnSocketHandler()
+{
+	if (this->connecter != nullptr) {
+		this->connecter->Kill();
+		this->connecter = nullptr;
+	}
+}
+
 /**
  * Check whether we received/can send some data from/to the TURN server and
  * when that's the case handle it appropriately