res_pjsip_header_funcs: wrong pool used tdata headers

When adding headers to an outgoing request the headers were cloned using
the dialog's pool when they should have been cloned using tdata's pool.
Under certain circumstances it was possible for the dialog object, and
its pool, to be freed while tdata is still active and available. Thus the
cloned header "disappeared", and when tdata tried to later access it a
crash would occur.

This patch makes it so all added headers are cloned appropriately using
tdata's pool.

ASTERISK-29411 #close
ASTERISK-29535 #close

Change-Id: I9852025b5ee93ce1c038209150ee9dba1e0767c5

diff --git a/res/res_pjsip_header_funcs.c b/res/res_pjsip_header_funcs.c
index ac3bea4372a330abb6e85323f0c64b078727b703..794b5e8c4b42ddabf0058fae8b8b768e3236e0c7 100644 (file)
--- a/res/res_pjsip_header_funcs.c
+++ b/res/res_pjsip_header_funcs.c
@@ -747,7 +747,6 @@ static struct ast_custom_function pjsip_headers_function = {
  */
 static void outgoing_request(struct ast_sip_session *session, pjsip_tx_data * tdata)
 {
-       pj_pool_t *pool = session->inv_session->dlg->pool;
        struct hdr_list *list;
        struct hdr_list_entry *le;
        RAII_VAR(struct ast_datastore *, datastore,
@@ -760,7 +759,7 @@ static void outgoing_request(struct ast_sip_session *session, pjsip_tx_data * td
 
        list = datastore->data;
        AST_LIST_TRAVERSE(list, le, nextptr) {
-               pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *) pjsip_hdr_clone(pool, le->hdr));
+               pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *) pjsip_hdr_clone(tdata->pool, le->hdr));
        }
        ast_sip_session_remove_datastore(session, datastore->uid);
 }