res_pjsip_pubsub: Prevent crash from AMI command on freed subscription.

A test recently uncovered that running an ill-timed AMI command to show
inbound subscriptions could cause a crash since Asterisk will try to
operate on a freed subscription.

The fix for this is to remove the subscription tree from the list of
subscriptions at the time that we are sending our final NOTIFY request
out. This way, as the subscription is in the process of dying, it is
inaccessible from AMI.

Change-Id: Ic0239003d8d73e04c47c12dd2a7e23867e5b5b23

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index cdd1e8029bcb28aaa9a20712bd8e2cfe5b9bc9d7..c91464194dd96a28cbf4cf4e8458ba51bdecfda7 100644 (file)
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -1202,8 +1202,6 @@ static void subscription_tree_destructor(void *obj)
 
        ast_debug(3, "Destroying subscription tree %p\n", sub_tree);
 
-       remove_subscription(sub_tree);
-
        ao2_cleanup(sub_tree->endpoint);
 
        destroy_subscriptions(sub_tree->root);
@@ -3295,6 +3293,7 @@ static void pubsub_on_evsub_state(pjsip_evsub *evsub, pjsip_event *event)
                }
        }
 
+       remove_subscription(sub_tree);
        pjsip_evsub_set_mod_data(evsub, pubsub_module.id, NULL);
        sub_tree->evsub = NULL;
        ast_sip_dialog_set_serializer(sub_tree->dlg, NULL);