res_pjsip_pubsub: segfault in function publish_expire

The function pubsub_on_rx_publish_request incorrectly uses
of AST_SCHED_REPLACE_UNREF.

The AST_SCHED_REPLACE_UNREF should unref old '_data'.

Because of this, there may be a double unref
of variable 'publication' when ast_sched_del is unsuccessful
that leads to use after free of the 'publication' in publish_expire.

ASTERISK-27956 #close

Change-Id: Ie0f0cfc7e036953d890b188656010b325a5cdc82

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 3462cb1cc9d04215557ccf25208cabc5a3de62c4..1c1b6dc2bbcacb5d37394750dbf328646f21be91 100644 (file)
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -3359,7 +3359,7 @@ static pj_bool_t pubsub_on_rx_publish_request(pjsip_rx_data *rdata)
                        ao2_link(handler->publications, publication);
 
                        AST_SCHED_REPLACE_UNREF(publication->sched_id, sched, expires * 1000, publish_expire, publication,
-                                               ao2_ref(publication, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
+                                               ao2_ref(_data, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
                } else {
                        AST_SCHED_DEL_UNREF(sched, publication->sched_id, ao2_ref(publication, -1));
                }