fix use-after-free on next_sub in broker fan-out loops

[jmestwa-coder]

Use-after-free in the two broker subscription fan-out loops when a WebSocket subscriber's peer closes during a fan-out write:

• BrokerHandle_Publish and BrokerClient_PublishWillImmediate snapshot next_sub, but the write to a WS subscriber spins lws_service and a re-entrant LWS_CALLBACK_CLOSED runs BrokerSubs_RemoveClient, freeing that subscriber's BrokerSub nodes
• pending_remove keeps the BrokerClient alive across the spin, but the sub nodes are freed regardless, so a subscriber with two adjacent matching filters has its snapshotted next_sub freed under the loop, then sub = next_sub dereferences it
• revalidate next_sub against broker->subs after the write, the same walk MqttBroker_Step already does for the client list
• static-memory builds use array indices and are unaffected

[wolfSSL-Bot]

Can one of the admins verify this patch?

[dgarske]

Hi @jmestwa-coder , thank you for this. I see your CLA in process in ZD 21916. Assigning this over to @embhorn to manage. Thanks, David Garske, wolfSSL