From 070eab6ed26b1bc287618f0372b8b4489f7479f3 Mon Sep 17 00:00:00 2001 From: Joshua Colp Date: Tue, 24 May 2016 07:28:17 -0300 Subject: res_pjsip_outbound_publish: Ensure publish is valid when explicitly destroying. Recent changes to res_pjsip_outbound_publish have introduced a race condition at shutdown where an outbound publish may be shutdown twice. In this case the first succeeds as a result of the unpublish. In the second invocation since it's been unpublished a task is queued to just destroy the client. This task holds no ref to the publish and as a result the publish may be destroyed before the task is run, causing a crash. This explicit destruction task now holds a reference to the publish to ensure it remains valid. ASTERISK-26053 #close Change-Id: I10789b98add3e50292ee3b33a55a1d9061cec94b --- res/res_pjsip_outbound_publish.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/res/res_pjsip_outbound_publish.c b/res/res_pjsip_outbound_publish.c index 1c3b0c644..53e15a0a4 100644 --- a/res/res_pjsip_outbound_publish.c +++ b/res/res_pjsip_outbound_publish.c @@ -1125,6 +1125,8 @@ static int explicit_publish_destroy(void *data) ao2_ref(publisher, -1); } + ao2_ref(publisher, -1); + return 0; } @@ -1140,7 +1142,9 @@ static int cancel_and_unpublish(void *obj, void *arg, int flags) /* If the publisher was never started, there's nothing to unpublish, so just * destroy the publication and remove its reference to the publisher. */ - ast_sip_push_task(NULL, explicit_publish_destroy, publisher); + if (ast_sip_push_task(NULL, explicit_publish_destroy, ao2_bump(publisher))) { + ao2_ref(publisher, -1); + } return 0; } -- cgit v1.2.3