blob: b5c11db4535b22af5432c081100857c52e58ec09 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
This patch fixes the issue in pjsip_tx_data_dec_ref()
when tx_data_destroy can be called more than once,
and checks if invalid value (e.g. NULL) is passed to.
Index: pjsip/src/pjsip/sip_transport.c
===================================================================
--- a/pjsip/src/pjsip/sip_transport.c (revision 5399)
+++ b/pjsip/src/pjsip/sip_transport.c (revision 5400)
@@ -491,8 +491,13 @@
*/
PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
{
- pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
- if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
+ pj_atomic_value_t ref_cnt;
+
+ PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
+
+ ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
+ pj_assert( ref_cnt >= 0);
+ if (ref_cnt == 0) {
tx_data_destroy(tdata);
return PJSIP_EBUFDESTROYED;
} else {
|