diff options
| author | Kevin Harwell <kharwell@digium.com> | 2014-01-28 23:40:28 +0000 |
|---|---|---|
| committer | Kevin Harwell <kharwell@digium.com> | 2014-01-28 23:40:28 +0000 |
| commit | 565198b44bc77792affcf9ce19909b63bd90870c (patch) | |
| tree | 244dc59857df132da7981e2145246b16b250f809 | |
| parent | ade5c8a2a47d2c2b1b0a4ab70eabd4bc095bd289 (diff) | |
res_pjsip_pubsub: potential crash on timeout
What seems to be happening is if a subscription has been terminated and the
subscription timeout/expires is less than the time it takes for all pending
transactions (currently on the subscription) to end then the subscription
timer will not have been canceled yet and sub will be null. Since the
subscription has already been canceled nothing needs to be done so a null
check in the asterisk code is sufficient in working around this problem.
(closes issue ASTERISK-23129)
Reported by: Dan Jenkins
........
Merged revisions 406847 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@406848 65c4cc65-6c06-0410-ace0-fbb531ad65f3
| -rw-r--r-- | res/res_pjsip_pubsub.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c index 2dcfaf68a..5bc2cb468 100644 --- a/res/res_pjsip_pubsub.c +++ b/res/res_pjsip_pubsub.c @@ -1234,6 +1234,15 @@ static void pubsub_on_server_timeout(pjsip_evsub *evsub) { struct ast_sip_subscription *sub = pjsip_evsub_get_mod_data(evsub, pubsub_module.id); + if (!sub) { + /* if a subscription has been terminated and the subscription + timeout/expires is less than the time it takes for all pending + transactions to end then the subscription timer will not have + been canceled yet and sub will be null, so do nothing since + the subscription has already been terminated. */ + return; + } + ao2_ref(sub, +1); ast_sip_push_task(sub->serializer, serialized_pubsub_on_server_timeout, sub); } |