diff options
| author | Matt Jordan <mjordan@digium.com> | 2015-11-16 13:56:49 -0600 |
|---|---|---|
| committer | Matt Jordan <mjordan@digium.com> | 2015-11-16 14:07:36 -0600 |
| commit | f62b642fe32d06ca24b4a0de94543279fe918d0a (patch) | |
| tree | 704e491e083b92bc6f0c30aee622eda1134158d1 /res | |
| parent | afd9a89e5a0ed041d576afa1f387000404ed3c4d (diff) | |
res/res_pjsip: Fix off nominal crash with requests that fail and have a timer
When a request is sent using pjsip_endpt_send_request and fails, a condition
exists where the request wrapper, which is an AO2 object, may be de-ref'd
more times than it should. This occurs when the request's callback is called,
and, in the callback, the timer on the PJSIP heap is cancelled. When that
occurs, the request wrapper's lifetime is decremented. When
pjsip_endpt_send_request fails, we unilaterally decrement the lifetime of
the request wrapper again, even though we've already cancelled the reference
associated with the timer.
This patch checks the return result of pj_timer_heap_cancel_if_active before
removing the reference associated with the timer. We now only decrement it
in this case if a timer is cancelled as a result of the function call.
Change-Id: I21332343a1a019c1117076f9bf2df27be2850102
Diffstat (limited to 'res')
| -rw-r--r-- | res/res_pjsip.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/res/res_pjsip.c b/res/res_pjsip.c index babbe7aaa..8e99c55d4 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -3155,9 +3155,11 @@ static pj_status_t endpt_send_request(struct ast_sip_endpoint *endpoint, char errmsg[PJ_ERR_MSG_SIZE]; if (timeout > 0) { - pj_timer_heap_cancel_if_active(pjsip_endpt_get_timer_heap(endpt), + int timers_cancelled = pj_timer_heap_cancel_if_active(pjsip_endpt_get_timer_heap(endpt), req_wrapper->timeout_timer, TIMER_INACTIVE); - ao2_ref(req_wrapper, -1); + if (timers_cancelled > 0) { + ao2_ref(req_wrapper, -1); + } } /* Complain of failure to send the request. */ |