From e914af2a02fbace89608ca2a72ea990ec8fbb1f5 Mon Sep 17 00:00:00 2001
From: Benny Prijono <bennylp@teluu.com>
Date: Thu, 5 Jul 2012 07:02:50 +0000
Subject: Re #1548: Crash due to racing condition in timer when call is
 disconnected quickly (thanks Joshua Colp for the report!)

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4196 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjnath/include/pjnath/ice_session.h |  1 +
 pjnath/src/pjnath/ice_session.c     | 10 ++++++++++
 pjsip/src/pjsua-lib/pjsua_media.c   |  3 +++
 3 files changed, 14 insertions(+)

diff --git a/pjnath/include/pjnath/ice_session.h b/pjnath/include/pjnath/ice_session.h
index cf153728..f48e12d4 100644
--- a/pjnath/include/pjnath/ice_session.h
+++ b/pjnath/include/pjnath/ice_session.h
@@ -619,6 +619,7 @@ struct pj_ice_sess
     pj_uint8_t		*prefs;			    /**< Type preference.   */
     pj_bool_t		 is_nominating;		    /**< Nominating stage   */
     pj_bool_t		 is_complete;		    /**< Complete?	    */
+    pj_bool_t		 is_destroying;		    /**< Destroy is called  */
     pj_status_t		 ice_status;		    /**< Error status.	    */
     pj_timer_entry	 timer;			    /**< ICE timer.	    */
     pj_ice_sess_cb	 cb;			    /**< Callback.	    */
diff --git a/pjnath/src/pjnath/ice_session.c b/pjnath/src/pjnath/ice_session.c
index bf94e545..40e10d55 100644
--- a/pjnath/src/pjnath/ice_session.c
+++ b/pjnath/src/pjnath/ice_session.c
@@ -455,6 +455,8 @@ static void destroy_ice(pj_ice_sess *ice,
 	LOG4((ice->obj_name, "Destroying ICE session"));
     }
 
+    ice->is_destroying = PJ_TRUE;
+
     /* Let other callbacks finish */
     if (ice->mutex) {
 	pj_mutex_lock(ice->mutex);
@@ -1840,8 +1842,16 @@ static pj_status_t start_periodic_check(pj_timer_heap_t *th,
     ice = td->ice;
     clist = td->clist;
 
+    if (ice->is_destroying)
+	return PJ_SUCCESS;
+
     pj_mutex_lock(ice->mutex);
 
+    if (ice->is_destroying) {
+	pj_mutex_unlock(ice->mutex);
+	return PJ_SUCCESS;
+    }
+
     /* Set timer ID to FALSE first */
     te->id = PJ_FALSE;
 
diff --git a/pjsip/src/pjsua-lib/pjsua_media.c b/pjsip/src/pjsua-lib/pjsua_media.c
index 8e7db5ac..1f721c8b 100644
--- a/pjsip/src/pjsua-lib/pjsua_media.c
+++ b/pjsip/src/pjsua-lib/pjsua_media.c
@@ -518,6 +518,9 @@ static void med_tp_timer_cb(void *user_data)
     pjsua_call *call = NULL;
     pjsip_dialog *dlg = NULL;
 
+    if (call_med->call == NULL)
+	return;
+
     acquire_call("med_tp_timer_cb", call_med->call->index, &call, &dlg);
 
     call_med->tp_ready = call_med->tp_result;
-- 
cgit v1.2.3