Ticket #787: Crash when UAC invite or subscribe session initialization fails (thanks Rostislav Molodyko for the report)

 - backported changes from #786


git-svn-id: http://svn.pjsip.org/repos/pjproject/branches/1.0@2811 74dad513-b988-da41-8d7b-12977e46ad98

3 files changed, 27 insertions, 6 deletions

diff --git a/pjsip/src/pjsip-ua/sip_inv.c b/pjsip/src/pjsip-ua/sip_inv.c
index cd371daf..fc489440 100644
--- a/pjsip/src/pjsip-ua/sip_inv.c
+++ b/pjsip/src/pjsip-ua/sip_inv.c
@@ -1367,8 +1367,10 @@ PJ_DEF(pj_status_t) pjsip_inv_invite( pjsip_inv_session *inv,
 	const pjmedia_sdp_session *offer;
 
 	status = pjmedia_sdp_neg_get_neg_local(inv->neg, &offer);
-	if (status != PJ_SUCCESS)
+	if (status != PJ_SUCCESS) {
+	    pjsip_tx_data_dec_ref(tdata);
 	    goto on_return;
+	}
 
 	tdata->msg->body = create_sdp_body(tdata->pool, offer);
     }
diff --git a/pjsip/src/pjsua-lib/pjsua_call.c b/pjsip/src/pjsua-lib/pjsua_call.c
index 2276da3e..a55b6bb7 100644
--- a/pjsip/src/pjsua-lib/pjsua_call.c
+++ b/pjsip/src/pjsua-lib/pjsua_call.c
@@ -448,6 +448,11 @@ PJ_DEF(pj_status_t) pjsua_call_make_call( pjsua_acc_id acc_id,
 	return status;
     }
 
+    /* Increment the dialog's lock otherwise when invite session creation
+     * fails the dialog will be destroyed prematurely.
+     */
+    pjsip_dlg_inc_lock(dlg);
+
     /* Calculate call's secure level */
     call->secure_level = get_secure_level(acc_id, dest_uri);
 
@@ -538,11 +543,10 @@ PJ_DEF(pj_status_t) pjsua_call_make_call( pjsua_acc_id acc_id,
 	pjsua_perror(THIS_FILE, "Unable to send initial INVITE request", 
 		     status);
 
-	/* Upon failure to send first request, both dialog and invite 
+	/* Upon failure to send first request, the invite 
 	 * session would have been cleared.
 	 */
 	inv = NULL;
-	dlg = NULL;
 	goto on_error;
     }
 
@@ -551,6 +555,7 @@ PJ_DEF(pj_status_t) pjsua_call_make_call( pjsua_acc_id acc_id,
     if (p_call_id)
 	*p_call_id = call_id;
 
+    pjsip_dlg_dec_lock(dlg);
     pj_pool_release(tmp_pool);
     PJSUA_UNLOCK();
 
@@ -558,10 +563,13 @@ PJ_DEF(pj_status_t) pjsua_call_make_call( pjsua_acc_id acc_id,
 
 
 on_error:
+    if (dlg) {
+	/* This may destroy the dialog */
+	pjsip_dlg_dec_lock(dlg);
+    }
+
     if (inv != NULL) {
 	pjsip_inv_terminate(inv, PJSIP_SC_OK, PJ_FALSE);
-    } else if (dlg) {
-	pjsip_dlg_terminate(dlg);
     }
 
     if (call_id != -1) {
diff --git a/pjsip/src/pjsua-lib/pjsua_pres.c b/pjsip/src/pjsua-lib/pjsua_pres.c
index c0461bd4..2eb78230 100644
--- a/pjsip/src/pjsua-lib/pjsua_pres.c
+++ b/pjsip/src/pjsua-lib/pjsua_pres.c
@@ -1442,13 +1442,21 @@ static void subscribe_buddy_presence(unsigned index)
 	return;
     }
 
+    /* Increment the dialog's lock otherwise when presence session creation
+     * fails the dialog will be destroyed prematurely.
+     */
+    pjsip_dlg_inc_lock(buddy->dlg);
+
     status = pjsip_pres_create_uac( buddy->dlg, &pres_callback, 
 				    PJSIP_EVSUB_NO_EVENT_ID, &buddy->sub);
     if (status != PJ_SUCCESS) {
 	pjsua_var.buddy[index].sub = NULL;
 	pjsua_perror(THIS_FILE, "Unable to create presence client", 
 		     status);
-	pjsip_dlg_terminate(buddy->dlg);
+	/* This should destroy the dialog since there's no session
+	 * referencing it
+	 */
+	pjsip_dlg_dec_lock(buddy->dlg);
 	if (tmp_pool) pj_pool_release(tmp_pool);
 	return;
     }
@@ -1481,6 +1489,7 @@ static void subscribe_buddy_presence(unsigned index)
 
     status = pjsip_pres_initiate(buddy->sub, -1, &tdata);
     if (status != PJ_SUCCESS) {
+	pjsip_dlg_dec_lock(buddy->dlg);
 	if (buddy->sub) {
 	    pjsip_pres_terminate(buddy->sub, PJ_FALSE);
 	}
@@ -1495,6 +1504,7 @@ static void subscribe_buddy_presence(unsigned index)
 
     status = pjsip_pres_send_request(buddy->sub, tdata);
     if (status != PJ_SUCCESS) {
+	pjsip_dlg_dec_lock(buddy->dlg);
 	if (buddy->sub) {
 	    pjsip_pres_terminate(buddy->sub, PJ_FALSE);
 	}
@@ -1505,6 +1515,7 @@ static void subscribe_buddy_presence(unsigned index)
 	return;
     }
 
+    pjsip_dlg_dec_lock(buddy->dlg);
     if (tmp_pool) pj_pool_release(tmp_pool);
 }