diff options
author | Richard Mudgett <rmudgett@digium.com> | 2015-02-17 15:34:10 +0000 |
---|---|---|
committer | Richard Mudgett <rmudgett@digium.com> | 2015-02-17 15:34:10 +0000 |
commit | 09bfe4b2088e61a085004f5cd679040532533054 (patch) | |
tree | 50feade55641576dbcc8a1b199bcbf6051bb3d3e /res/res_pjsip_sdp_rtp.c | |
parent | d808eace5c308bafc9b592d94d7b7c2b98b1e84c (diff) |
res_pjsip_refer: Fix crash from a REFER and BYE collision.
Analyzing a one-off crash on a busy system showed that processing a REFER
request had a NULL session channel pointer. The only way I can think of
that could cause this is if an outgoing BYE transaction overlapped the
incoming REFER transaction in a collision. Asterisk sends a BYE while the
phone sends a REFER to complete an attended transfer.
* Made check the session channel pointer before processing an incoming
REFER request in res_pjsip_refer.
* Fixed similar crash potential for res_pjsip supplement incoming request
processing for res_pjsip_sdp_rtp INFO, res_pjsip_caller_id INVITE/UPDATE,
res_pjsip_messaging MESSAGE, and res_pjsip_send_to_voicemail REFER
messages.
* Made res_pjsip_messaging respond to a message body too large with a 413
instead of ignoring it.
ASTERISK-24700 #close
Reported by: Zane Conkle
Review: https://reviewboard.asterisk.org/r/4417/
........
Merged revisions 431898 from http://svn.asterisk.org/svn/asterisk/branches/13
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@431899 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'res/res_pjsip_sdp_rtp.c')
-rw-r--r-- | res/res_pjsip_sdp_rtp.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c index 4cac53731..a2550df9e 100644 --- a/res/res_pjsip_sdp_rtp.c +++ b/res/res_pjsip_sdp_rtp.c @@ -1269,15 +1269,18 @@ static struct ast_sip_session_sdp_handler video_sdp_handler = { static int video_info_incoming_request(struct ast_sip_session *session, struct pjsip_rx_data *rdata) { - struct pjsip_transaction *tsx = pjsip_rdata_get_tsx(rdata); + struct pjsip_transaction *tsx; pjsip_tx_data *tdata; - if (!ast_sip_is_content_type(&rdata->msg_info.msg->body->content_type, - "application", - "media_control+xml")) { + if (!session->channel + || !ast_sip_is_content_type(&rdata->msg_info.msg->body->content_type, + "application", + "media_control+xml")) { return 0; } + tsx = pjsip_rdata_get_tsx(rdata); + ast_queue_control(session->channel, AST_CONTROL_VIDUPDATE); if (pjsip_dlg_create_response(session->inv_session->dlg, rdata, 200, NULL, &tdata) == PJ_SUCCESS) { |