res_pjsip_outbound_publish: Ensure publish is valid when explicitly destroying.

Recent changes to res_pjsip_outbound_publish have introduced a
race condition at shutdown where an outbound publish may be shutdown
twice. In this case the first succeeds as a result of the unpublish.
In the second invocation since it's been unpublished a task is
queued to just destroy the client. This task holds no ref to the
publish and as a result the publish may be destroyed before the
task is run, causing a crash.

This explicit destruction task now holds a reference to the publish
to ensure it remains valid.

ASTERISK-26053 #close

Change-Id: I10789b98add3e50292ee3b33a55a1d9061cec94b

diff --git a/res/res_pjsip_outbound_publish.c b/res/res_pjsip_outbound_publish.c
index 1c3b0c6444da59a3247b4aa250e2e3c241ba4e70..53e15a0a48dde5d91ccae6f2e82392b24faa9e24 100644 (file)
--- a/res/res_pjsip_outbound_publish.c
+++ b/res/res_pjsip_outbound_publish.c
@@ -1125,6 +1125,8 @@ static int explicit_publish_destroy(void *data)
                ao2_ref(publisher, -1);
        }
 
+       ao2_ref(publisher, -1);
+
        return 0;
 }
 
@@ -1140,7 +1142,9 @@ static int cancel_and_unpublish(void *obj, void *arg, int flags)
                /* If the publisher was never started, there's nothing to unpublish, so just
                 * destroy the publication and remove its reference to the publisher.
                 */
-               ast_sip_push_task(NULL, explicit_publish_destroy, publisher);
+               if (ast_sip_push_task(NULL, explicit_publish_destroy, ao2_bump(publisher))) {
+                       ao2_ref(publisher, -1);
+               }
                return 0;
        }