peer: fix dangling peer->current_htlc->htlc pointer.

It currently points into freed memory once we've make_commit_txs; we
don't currently dereference it after that, but I did in some test code
and got a surprise.  Make a copy in all cases where we set it, so
there can't be lifetime problems.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

daemon/packets.c

@@ -513,7 +513,7 @@ Pkt *accept_pkt_htlc_routefail(const tal_t *ctx,
 		goto fail;
 	}
 
-	cur->htlc = &peer->cstate->a.htlcs[i];
+	cur->htlc = tal_dup(cur, struct channel_htlc, &peer->cstate->a.htlcs[i]);
 
 	/* Removing it should not fail: we regain HTLC amount */
 	cur->cstate = copy_funding(cur, peer->cstate);
@@ -563,7 +563,7 @@ Pkt *accept_pkt_htlc_timedout(const tal_t *ctx,
 		goto fail;
 	}
 
-	cur->htlc = &peer->cstate->a.htlcs[i];
+	cur->htlc = tal_dup(cur, struct channel_htlc, &peer->cstate->a.htlcs[i]);
 
 	/* Do we agree it has timed out? */
 	if (controlled_time().ts.tv_sec < abs_locktime_to_seconds(&cur->htlc->expiry)) {
@@ -619,7 +619,7 @@ Pkt *accept_pkt_htlc_fulfill(const tal_t *ctx,
 		goto fail;
 	}
 
-	cur->htlc = &peer->cstate->a.htlcs[i];
+	cur->htlc = tal_dup(cur, struct channel_htlc, &peer->cstate->a.htlcs[i]);
 
 	/* Removing it should not fail: they gain HTLC amount */
 	cur->cstate = copy_funding(cur, peer->cstate);

daemon/peer.c

@@ -1288,7 +1288,8 @@ static void set_htlc_command(struct peer *peer,
 
 	peer->current_htlc = tal(peer, struct htlc_progress);
 	peer->current_htlc->cstate = tal_steal(peer->current_htlc, cstate);
-	peer->current_htlc->htlc = htlc;
+	peer->current_htlc->htlc = tal_dup(peer->current_htlc,
+					   struct channel_htlc, htlc);
 	if (r_fulfill)
 		peer->current_htlc->r = *r_fulfill;