res_pjsip_pubsub: potential crash on timeout

What seems to be happening is if a subscription has been terminated and the
subscription timeout/expires is less than the time it takes for all pending
transactions (currently on the subscription) to end then the subscription
timer will not have been canceled yet and sub will be null.  Since the
subscription has already been canceled nothing needs to be done so a null
check in the asterisk code is sufficient in working around this problem.

(closes issue ASTERISK-23129)
Reported by: Dan Jenkins

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@406847 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 2dcfaf68a8a63f4fe69ecd9c564f1674dbf10d1e..5bc2cb46842cc616863c4b6338e52379f19fee71 100644 (file)
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -1234,6 +1234,15 @@ static void pubsub_on_server_timeout(pjsip_evsub *evsub)
 {
        struct ast_sip_subscription *sub = pjsip_evsub_get_mod_data(evsub, pubsub_module.id);
 
+       if (!sub) {
+               /* if a subscription has been terminated and the subscription
+                  timeout/expires is less than the time it takes for all pending
+                  transactions to end then the subscription timer will not have
+                  been canceled yet and sub will be null, so do nothing since
+                  the subscription has already been terminated. */
+               return;
+       }
+
        ao2_ref(sub, +1);
        ast_sip_push_task(sub->serializer, serialized_pubsub_on_server_timeout, sub);
 }