From 85d0272e76858a571d01bcf2ccaba871daa10e16 Mon Sep 17 00:00:00 2001 From: Joshua Colp Date: Sun, 22 May 2016 13:03:20 -0300 Subject: [PATCH] res_pjsip: Only check transaction on transaction state events. The send request callback function currently assumes that it will only ever be called on transaction state changes. This is not always true. If our own timer callback occurs we will call the callback with a timer event instead of a transaction state change event. In this case the transaction on the event is invalid and accessing it will result in a crash. ASTERISK-26049 #close Change-Id: I623211c8533eb73056b0250b4580b49ad4174dfc --- res/res_pjsip.c | 72 +++++++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/res/res_pjsip.c b/res/res_pjsip.c index c06b67ecf7..bebe941b51 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -3513,46 +3513,48 @@ static void send_request_cb(void *token, pjsip_event *e) pjsip_rx_data *challenge; struct ast_sip_supplement *supplement; - switch(e->body.tsx_state.type) { - case PJSIP_EVENT_TRANSPORT_ERROR: - case PJSIP_EVENT_TIMER: - /* - * Check the request status on transport error or timeout. A transport - * error can occur when a TCP socket closes and that can be the result - * of a 503. Also we may need to failover on a timeout (408). - */ - if (check_request_status(req_data, e)) { - return; - } - break; - case PJSIP_EVENT_RX_MSG: - challenge = e->body.tsx_state.src.rdata; - - /* - * Call any supplements that want to know about a response - * with any received data. - */ - AST_RWLIST_RDLOCK(&supplements); - AST_LIST_TRAVERSE(&supplements, supplement, next) { - if (supplement->incoming_response - && does_method_match(&challenge->msg_info.cseq->method.name, - supplement->method)) { - supplement->incoming_response(req_data->endpoint, challenge); + if (e->type == PJSIP_EVENT_TSX_STATE) { + switch(e->body.tsx_state.type) { + case PJSIP_EVENT_TRANSPORT_ERROR: + case PJSIP_EVENT_TIMER: + /* + * Check the request status on transport error or timeout. A transport + * error can occur when a TCP socket closes and that can be the result + * of a 503. Also we may need to failover on a timeout (408). + */ + if (check_request_status(req_data, e)) { + return; } - } - AST_RWLIST_UNLOCK(&supplements); + break; + case PJSIP_EVENT_RX_MSG: + challenge = e->body.tsx_state.src.rdata; - if (check_request_status(req_data, e)) { /* - * Request with challenge response or failover sent. - * Passed our req_data ref to the new request. + * Call any supplements that want to know about a response + * with any received data. */ - return; + AST_RWLIST_RDLOCK(&supplements); + AST_LIST_TRAVERSE(&supplements, supplement, next) { + if (supplement->incoming_response + && does_method_match(&challenge->msg_info.cseq->method.name, + supplement->method)) { + supplement->incoming_response(req_data->endpoint, challenge); + } + } + AST_RWLIST_UNLOCK(&supplements); + + if (check_request_status(req_data, e)) { + /* + * Request with challenge response or failover sent. + * Passed our req_data ref to the new request. + */ + return; + } + break; + default: + ast_log(LOG_ERROR, "Unexpected PJSIP event %u\n", e->body.tsx_state.type); + break; } - break; - default: - ast_log(LOG_ERROR, "Unexpected PJSIP event %u\n", e->body.tsx_state.type); - break; } if (req_data->callback) {