From 49c06adc9d511a8fb4a791e14608035affaff7e4 Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Fri, 10 Aug 2018 19:28:45 -0500
Subject: [PATCH] res_pjsip_t38.c: Fix crash if already saw a final T.38
 reINVITE response.

We were still getting crashes after the first fix.  Somehow we receive a
non-2xx final response before we get a 200 final response.  With the
failure response we had already cleaned up and destroyed some data
structures.  When the unexpected 200 response comes in we crash.

* Add protection code to prevent processing another final T.38 reINVITE
response.

ASTERISK-27944

Change-Id: I8b5baba8d07fe4d63f0d7d05d3eb9a3d27d40a74
---
 res/res_pjsip_t38.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c
index 72f7b8647d..fae6fbbc3a 100644
--- a/res/res_pjsip_t38.c
+++ b/res/res_pjsip_t38.c
@@ -300,6 +300,15 @@ static int t38_reinvite_response_cb(struct ast_sip_session *session, pjsip_rx_da
 		return 0;
 	}
 
+	if (session->t38state != T38_LOCAL_REINVITE) {
+		/* Do nothing.  We have already processed a final response. */
+		ast_debug(3, "Received %d response to T.38 re-invite on '%s' but already had a final response (T.38 state:%d)\n",
+			status.code,
+			session->channel ? ast_channel_name(session->channel) : "unknown channel",
+			session->t38state);
+		return 0;
+	}
+
 	state = t38_state_get_or_alloc(session);
 	if (!session->channel || !state) {
 		ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but state unavailable\n",