Hi, there is a potential use-after-free bug, if you think so please confirm and fix

In the file coturn/src/server/ns_turn_server.cm, the write_to_peerchannel function(line 4190) freed the nbh at 4134 and use it at line 4138.

rc = send_data_from_ioa_socket_nbh(get_relay_socket_ss(ss, chn->peer_addr.ss.sa_family), &(chn->peer_addr), nbh, in_buffer->recv_ttl-1, in_buffer->recv_tos, &skip); // line 4134

ss->peer_sent_bytes += (uint32_t)ioa_network_buffer_get_size(in_buffer->nbh); //4138

The send_data_from_ioa_socket_nbh function is in coturn/src/apps/relay/ns_ioalib_engine_impl.c and the free operation is ioa_network_buffer_delete(s->e, nbh) at line 3250.

Thank you
Ryan