From 8ea214aed782424a884b9a2f67d6dca270854e83 Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Fri, 26 Jun 2015 10:36:19 -0500 Subject: PJSIP FAX: Fix T.38 automatic reject timer NULL channel pointer dereferences. When a caller calls a FAX number and then hangs up right after the call is answered then the T.38 re-INVITE automatic reject timer may still be running after the channel goes away. * Added session NULL channel checks on the code paths that get executed by t38_automatic_reject() to prevent a crash when the T.38 re-INVITE automatic reject timer expires. ASTERISK-25168 Reported by: Carl Fortin Change-Id: I07b6cd23815aedce5044f8f32543779e2f7a2403 --- res/res_pjsip_t38.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'res/res_pjsip_t38.c') diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c index 06a73cc11..d3c8bd728 100644 --- a/res/res_pjsip_t38.c +++ b/res/res_pjsip_t38.c @@ -135,10 +135,13 @@ static void t38_change_state(struct ast_sip_session *session, struct ast_sip_ses } session->t38state = new_state; - ast_debug(2, "T.38 state changed to '%u' from '%u' on channel '%s'\n", new_state, old_state, ast_channel_name(session->channel)); + ast_debug(2, "T.38 state changed to '%u' from '%u' on channel '%s'\n", + new_state, old_state, + session->channel ? ast_channel_name(session->channel) : ""); if (pj_timer_heap_cancel(pjsip_endpt_get_timer_heap(ast_sip_get_pjsip_endpoint()), &state->timer)) { - ast_debug(2, "Automatic T.38 rejection on channel '%s' terminated\n", ast_channel_name(session->channel)); + ast_debug(2, "Automatic T.38 rejection on channel '%s' terminated\n", + session->channel ? ast_channel_name(session->channel) : ""); ao2_ref(session, -1); } @@ -198,7 +201,8 @@ static int t38_automatic_reject(void *obj) return 0; } - ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n", ast_channel_name(session->channel)); + ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n", + session->channel ? ast_channel_name(session->channel) : ""); t38_change_state(session, session_media, datastore->data, T38_REJECTED); ast_sip_session_resume_reinvite(session); @@ -227,9 +231,9 @@ static struct t38_state *t38_state_get_or_alloc(struct ast_sip_session *session) return datastore->data; } - if (!(datastore = ast_sip_session_alloc_datastore(&t38_datastore, "t38")) || - !(datastore->data = ast_calloc(1, sizeof(struct t38_state))) || - ast_sip_session_add_datastore(session, datastore)) { + if (!(datastore = ast_sip_session_alloc_datastore(&t38_datastore, "t38")) + || !(datastore->data = ast_calloc(1, sizeof(struct t38_state))) + || ast_sip_session_add_datastore(session, datastore)) { return NULL; } -- cgit v1.2.3