From: Richard Mudgett Date: Sat, 11 Aug 2018 00:28:45 +0000 (-0500) Subject: res_pjsip_t38.c: Fix crash if already saw a final T.38 reINVITE response. X-Git-Tag: 15.6.0-rc1~13^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49c06adc9d511a8fb4a791e14608035affaff7e4;p=thirdparty%2Fasterisk.git res_pjsip_t38.c: Fix crash if already saw a final T.38 reINVITE response. We were still getting crashes after the first fix. Somehow we receive a non-2xx final response before we get a 200 final response. With the failure response we had already cleaned up and destroyed some data structures. When the unexpected 200 response comes in we crash. * Add protection code to prevent processing another final T.38 reINVITE response. ASTERISK-27944 Change-Id: I8b5baba8d07fe4d63f0d7d05d3eb9a3d27d40a74 --- diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c index 72f7b8647d..fae6fbbc3a 100644 --- a/res/res_pjsip_t38.c +++ b/res/res_pjsip_t38.c @@ -300,6 +300,15 @@ static int t38_reinvite_response_cb(struct ast_sip_session *session, pjsip_rx_da return 0; } + if (session->t38state != T38_LOCAL_REINVITE) { + /* Do nothing. We have already processed a final response. */ + ast_debug(3, "Received %d response to T.38 re-invite on '%s' but already had a final response (T.38 state:%d)\n", + status.code, + session->channel ? ast_channel_name(session->channel) : "unknown channel", + session->t38state); + return 0; + } + state = t38_state_get_or_alloc(session); if (!session->channel || !state) { ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but state unavailable\n",