If PULL_DB control times out but the remote node is still sending the data, then the tevent_req for pull_database_send will be freed without removing the message handler. So when the data is received, srvid handler will be called and it will try to access tevent_req which will result in use-after-free and abort.
Created attachment 13887 [details] Patches for v4-6
Created attachment 13888 [details] Patches for v4-7
Sorry, I forgot about this or I would have done this a while ago. At least it is low probability.
Hi Karolin, This is ready for 4.6 and 4.7. Thanks...
(In reply to Martin Schwenke from comment #4) Pushed to autobuild-v4-{7,6}-test.
(In reply to Karolin Seeger from comment #5) Pushed to both branches. Closing out bug report. Thanks!