Maybe free_buffer is getting called twice on the same structure, changed patch to null out the buffer field.
If free_buffer is getting called twice, we should see a __wrap_free ... p = 0 in the backtrace.
It's also possible that the buffer is getting free'd since buffer is shared with the iarchive zookeeper.c:1781 but I couldn't find any paths where the iarchive buffer is free'd by manually tracing through.
One thing I am confused about is that the segfault happens at the end of the testConnectIndex1 test, but the path that it is taking is processing outstanding synchronous completions. The only synchronous completion that could be there is the zoo_exists call, but this was completed at the beginning of the test, before the server was stopped.