Author: file Date: Thu Nov 20 08:56:24 2014 New Revision: 428306 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428306 Log: AST-2014-016: Fix crash when receiving an in-dialog INVITE with Replaces in res_pjsip_refer.
The implementation of INVITE with Replaces in res_pjsip_refer did not expect them to occur in-dialog. As a result it would incorrectly attempt to hang up a channel it thought was under its control. In reality the channel would be under the control of another thread. When the other thread accessed the channel it would be accessing freed memory and could crash. This change makes res_pjsip_refer not act on an in-dialog INVITE with Replaces. ASTERISK-24528 #close Reported by: Joshua Colp ........ Merged revisions 428304 from http://svn.asterisk.org/svn/asterisk/branches/12 ........ Merged revisions 428305 from http://svn.asterisk.org/svn/asterisk/branches/13 Modified: trunk/ (props changed) trunk/res/res_pjsip_refer.c Propchange: trunk/ ------------------------------------------------------------------------------ Binary property 'branch-13-merged' - no diff available. Modified: trunk/res/res_pjsip_refer.c URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_pjsip_refer.c?view=diff&rev=428306&r1=428305&r2=428306 ============================================================================== --- trunk/res/res_pjsip_refer.c (original) +++ trunk/res/res_pjsip_refer.c Thu Nov 20 08:56:24 2014 @@ -785,6 +785,12 @@ other_session = ast_sip_dialog_get_session(other_dlg); pjsip_dlg_dec_lock(other_dlg); + /* Don't accept an in-dialog INVITE with Replaces as it does not make much sense */ + if (session->inv_session->dlg->state == PJSIP_DIALOG_STATE_ESTABLISHED) { + response = 488; + goto end; + } + if (!other_session) { response = 481; ast_debug(3, "INVITE with Replaces received on channel '%s' from endpoint '%s', but requested session does not exist\n", @@ -831,14 +837,20 @@ end: if (response) { - ast_debug(3, "INVITE with Replaces failed on channel '%s', sending response of '%d'\n", - ast_channel_name(session->channel), response); - session->defer_terminate = 1; - ast_hangup(session->channel); - session->channel = NULL; - - if (pjsip_inv_end_session(session->inv_session, response, NULL, &packet) == PJ_SUCCESS) { - ast_sip_session_send_response(session, packet); + if (session->inv_session->dlg->state != PJSIP_DIALOG_STATE_ESTABLISHED) { + ast_debug(3, "INVITE with Replaces failed on channel '%s', sending response of '%d'\n", + ast_channel_name(session->channel), response); + session->defer_terminate = 1; + ast_hangup(session->channel); + session->channel = NULL; + + if (pjsip_inv_end_session(session->inv_session, response, NULL, &packet) == PJ_SUCCESS) { + ast_sip_session_send_response(session, packet); + } + } else { + ast_debug(3, "INVITE with Replaces in-dialog on channel '%s', hanging up\n", + ast_channel_name(session->channel)); + ast_queue_hangup(session->channel); } } -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
