From ec5b449bcf97729f8664086049c1c4d92564be4e Mon Sep 17 00:00:00 2001 From: Kevin Harwell Date: Wed, 23 Mar 2022 17:45:45 -0500 Subject: [PATCH] res_pjsip_header_funcs: wrong pool used tdata headers When adding headers to an outgoing request the headers were cloned using the dialog's pool when they should have been cloned using tdata's pool. Under certain circumstances it was possible for the dialog object, and its pool to be freed while tdata is still active and available. Thus the cloned header "disappeared", and when tdata tried to later access it a crash would occur. This patch makes it so all added headers are cloned appropriately using tdata's pool. ASTERISK-29411 #close ASTERISK-29535 #close Change-Id: I9852025b5ee93ce1c038209150ee9dba1e0767c5 --- res/res_pjsip_header_funcs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/res/res_pjsip_header_funcs.c b/res/res_pjsip_header_funcs.c index ac3bea4372..794b5e8c4b 100644 --- a/res/res_pjsip_header_funcs.c +++ b/res/res_pjsip_header_funcs.c @@ -747,7 +747,6 @@ static struct ast_custom_function pjsip_headers_function = { */ static void outgoing_request(struct ast_sip_session *session, pjsip_tx_data * tdata) { - pj_pool_t *pool = session->inv_session->dlg->pool; struct hdr_list *list; struct hdr_list_entry *le; RAII_VAR(struct ast_datastore *, datastore, @@ -760,7 +759,7 @@ static void outgoing_request(struct ast_sip_session *session, pjsip_tx_data * td list = datastore->data; AST_LIST_TRAVERSE(list, le, nextptr) { - pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *) pjsip_hdr_clone(pool, le->hdr)); + pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *) pjsip_hdr_clone(tdata->pool, le->hdr)); } ast_sip_session_remove_datastore(session, datastore->uid); }