diff options
| author | Richard Mudgett <rmudgett@digium.com> | 2015-02-17 15:34:10 +0000 |
|---|---|---|
| committer | Richard Mudgett <rmudgett@digium.com> | 2015-02-17 15:34:10 +0000 |
| commit | 09bfe4b2088e61a085004f5cd679040532533054 (patch) | |
| tree | 50feade55641576dbcc8a1b199bcbf6051bb3d3e /res/res_pjsip_refer.c | |
| parent | d808eace5c308bafc9b592d94d7b7c2b98b1e84c (diff) | |
res_pjsip_refer: Fix crash from a REFER and BYE collision.
Analyzing a one-off crash on a busy system showed that processing a REFER
request had a NULL session channel pointer. The only way I can think of
that could cause this is if an outgoing BYE transaction overlapped the
incoming REFER transaction in a collision. Asterisk sends a BYE while the
phone sends a REFER to complete an attended transfer.
* Made check the session channel pointer before processing an incoming
REFER request in res_pjsip_refer.
* Fixed similar crash potential for res_pjsip supplement incoming request
processing for res_pjsip_sdp_rtp INFO, res_pjsip_caller_id INVITE/UPDATE,
res_pjsip_messaging MESSAGE, and res_pjsip_send_to_voicemail REFER
messages.
* Made res_pjsip_messaging respond to a message body too large with a 413
instead of ignoring it.
ASTERISK-24700 #close
Reported by: Zane Conkle
Review: https://reviewboard.asterisk.org/r/4417/
........
Merged revisions 431898 from http://svn.asterisk.org/svn/asterisk/branches/13
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@431899 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'res/res_pjsip_refer.c')
| -rw-r--r-- | res/res_pjsip_refer.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/res/res_pjsip_refer.c b/res/res_pjsip_refer.c index cc0616e9d..b0755b1ea 100644 --- a/res/res_pjsip_refer.c +++ b/res/res_pjsip_refer.c @@ -418,7 +418,7 @@ static void refer_attended_destroy(void *obj) struct refer_attended *attended = obj; ao2_cleanup(attended->transferer); - ast_channel_unref(attended->transferer_chan); + ast_channel_cleanup(attended->transferer_chan); ao2_cleanup(attended->transferer_second); ao2_cleanup(attended->progress); } @@ -674,7 +674,7 @@ static int refer_incoming_attended_request(struct ast_sip_session *session, pjsi return 200; } else { - const char *context = (session->channel ? pbx_builtin_getvar_helper(session->channel, "TRANSFER_CONTEXT") : ""); + const char *context = pbx_builtin_getvar_helper(session->channel, "TRANSFER_CONTEXT"); struct refer_blind refer = { 0, }; if (ast_strlen_zero(context)) { @@ -718,10 +718,6 @@ static int refer_incoming_blind_request(struct ast_sip_session *session, pjsip_r char exten[AST_MAX_EXTENSION]; struct refer_blind refer = { 0, }; - if (!session->channel) { - return 404; - } - /* If no explicit transfer context has been provided use their configured context */ context = pbx_builtin_getvar_helper(session->channel, "TRANSFER_CONTEXT"); if (ast_strlen_zero(context)) { @@ -893,6 +889,14 @@ static int refer_incoming_refer_request(struct ast_sip_session *session, struct static const pj_str_t str_refer_to = { "Refer-To", 8 }; static const pj_str_t str_replaces = { "Replaces", 8 }; + if (!session->channel) { + /* No channel to refer. Likely because the call was just hung up. */ + pjsip_dlg_respond(session->inv_session->dlg, rdata, 404, NULL, NULL, NULL); + ast_debug(3, "Received a REFER on a session with no channel from endpoint '%s'.\n", + ast_sorcery_object_get_id(session->endpoint)); + return 0; + } + if (!session->endpoint->allowtransfer) { pjsip_dlg_respond(session->inv_session->dlg, rdata, 603, NULL, NULL, NULL); ast_log(LOG_WARNING, "Endpoint %s transfer attempt blocked due to configuration\n", |