res_pjsip_pubsub: Prevent crashes on final NOTIFY.

The SIP dialog is removed from the subscription tree when the final
NOTIFY is sent. However, after the final NOTIFY is sent, the persistence
update function still attempts to access the cseq from the dialog,
resulting in a crash.

This fix removes the subscription persistence at the same time that the
dialog is removed from the subscription tree. This way, there is no
attempt to update persistence when the subscription is being destroyed.

Change-Id: Ibb46977a6cef9c51dc95f40f43446e3d11eed5bb

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 3f940c2e32477e271e1ab106acb5875a3382e83d..03c52017b7d27b861133bfefc9a615198c921142 100644 (file)
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -595,6 +595,7 @@ static void subscription_persistence_remove(struct sip_subscription_tree *sub_tr
 
        ast_sorcery_delete(ast_sip_get_sorcery(), sub_tree->persistence);
        ao2_ref(sub_tree->persistence, -1);
+       sub_tree->persistence = NULL;
 }
 
 
@@ -1180,7 +1181,6 @@ static void subscription_tree_destructor(void *obj)
 
        remove_subscription(sub_tree);
 
-       subscription_persistence_remove(sub_tree);
        ao2_cleanup(sub_tree->endpoint);
 
        destroy_subscriptions(sub_tree->root);
@@ -3279,6 +3279,7 @@ static void pubsub_on_evsub_state(pjsip_evsub *evsub, pjsip_event *event)
        ast_sip_dialog_set_serializer(sub_tree->dlg, NULL);
        ast_sip_dialog_set_endpoint(sub_tree->dlg, NULL);
        sub_tree->dlg = NULL;
+       subscription_persistence_remove(sub_tree);
        shutdown_subscriptions(sub_tree->root);
 
        /* Remove evsub's reference to the sub_tree */