From: Mark Michelson Date: Mon, 25 Jan 2016 22:51:25 +0000 (-0600) Subject: res_pjsip_pubsub: Prevent crash from AMI command on freed subscription. X-Git-Tag: 13.8.0-rc1~107^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8261bda1bf63d76f0913a5273c9b7ae1729addec;p=thirdparty%2Fasterisk.git res_pjsip_pubsub: Prevent crash from AMI command on freed subscription. A test recently uncovered that running an ill-timed AMI command to show inbound subscriptions could cause a crash since Asterisk will try to operate on a freed subscription. The fix for this is to remove the subscription tree from the list of subscriptions at the time that we are sending our final NOTIFY request out. This way, as the subscription is in the process of dying, it is inaccessible from AMI. Change-Id: Ic0239003d8d73e04c47c12dd2a7e23867e5b5b23 --- diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c index cdd1e8029b..c91464194d 100644 --- a/res/res_pjsip_pubsub.c +++ b/res/res_pjsip_pubsub.c @@ -1202,8 +1202,6 @@ static void subscription_tree_destructor(void *obj) ast_debug(3, "Destroying subscription tree %p\n", sub_tree); - remove_subscription(sub_tree); - ao2_cleanup(sub_tree->endpoint); destroy_subscriptions(sub_tree->root); @@ -3295,6 +3293,7 @@ static void pubsub_on_evsub_state(pjsip_evsub *evsub, pjsip_event *event) } } + remove_subscription(sub_tree); pjsip_evsub_set_mod_data(evsub, pubsub_module.id, NULL); sub_tree->evsub = NULL; ast_sip_dialog_set_serializer(sub_tree->dlg, NULL);