in_forward: fix segfault and double-free in trace path handling

- Incomplete error check: only checked ret == -1, but ctr_decode_msgpack_create()
  can return other error codes. When ctr is NULL on error, this caused NULL
  pointer dereference.

- Double-free: called ctr_decode_msgpack_destroy() after successful
  flb_input_trace_append(), but that function takes ownership and destroys
  the context internally.

Signed-off-by: Eduardo Silva <[email protected]>

Author: edsiper

plugins/in_forward/fw_prot.c

@@ -1146,8 +1146,8 @@ static int append_log(struct flb_input_instance *ins, struct fw_conn *conn,
     else if (event_type == FLB_EVENT_TYPE_TRACES) {
         off = 0;
         ret = ctr_decode_msgpack_create(&ctr, (char *) data, len, &off);
-        if (ret == -1) {
-            flb_error("could not decode trace message. ret=%d", ret);
+        if (ret != CTR_DECODE_MSGPACK_SUCCESS) {
+            flb_plg_error(ins, "could not decode trace message. ret=%d", ret);
             return -1;
         }
 
@@ -1159,7 +1159,7 @@ static int append_log(struct flb_input_instance *ins, struct fw_conn *conn,
             ctr_decode_msgpack_destroy(ctr);
             return -1;
         }
-        ctr_decode_msgpack_destroy(ctr);
+        /* Note: flb_input_trace_append takes ownership of ctr and destroys it on success */
     }
 
     return 0;