From: Sean Bright <sean.bright@gmail.com>
Date: Tue, 3 Dec 2019 21:42:00 +0000 (-0500)
Subject: res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled
X-Git-Tag: 17.1.0-rc1~10^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d56adf8fbbbaa6c05c547eb482f1d154ec006d4;p=thirdparty%2Fasterisk.git

res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled

We need to copy the endpoint name before we call ao2_cleanup() on it,
otherwise we might try to access memory that has been reclaimed.

ASTERISK-28445 #close
Reported by: Bernhard Schmidt

Change-Id: I404b952608aa606e0babd3c4108346721fb726b3
---

diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index 7373c195da..bc01548b61 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -2150,8 +2150,10 @@ static void session_destructor(void *obj)
 {
 	struct ast_sip_session *session = obj;
 	struct ast_sip_session_delayed_request *delay;
+
+	/* We dup the endpoint ID in case the endpoint gets freed out from under us */
 	const char *endpoint_name = session->endpoint ?
-		ast_sorcery_object_get_id(session->endpoint) : "<none>";
+		ast_strdupa(ast_sorcery_object_get_id(session->endpoint)) : "<none>";
 
 	ast_debug(3, "Destroying SIP session with endpoint %s\n", endpoint_name);