From: Richard Mudgett <rmudgett@digium.com>
Date: Mon, 10 Apr 2017 16:30:35 +0000 (-0500)
Subject: res_pjsip: Fix pointer use after unref.
X-Git-Tag: 13.16.0-rc1~50^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aecf19e7d26c4198906d4e9a75ba955acb26e6b5;p=thirdparty%2Fasterisk.git

res_pjsip: Fix pointer use after unref.

Change-Id: I4b6e1b0070563eeaee223cb58326f1b962ed5bc1
---

diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c
index 3c41f175aa..d180296f42 100644
--- a/res/res_pjsip/config_transport.c
+++ b/res/res_pjsip/config_transport.c
@@ -286,15 +286,16 @@ static struct internal_state *find_internal_state_by_transport(const struct ast_
 static struct ast_sip_transport_state *find_state_by_transport(const struct ast_sip_transport *transport)
 {
 	struct internal_state *state;
+	struct ast_sip_transport_state *trans_state;
 
 	state = find_internal_state_by_transport(transport);
 	if (!state) {
 		return NULL;
 	}
-	ao2_bump(state->state);
-	ao2_cleanup(state);
+	trans_state = ao2_bump(state->state);
+	ao2_ref(state, -1);
 
-	return state->state;
+	return trans_state;
 }
 
 static int remove_temporary_state(void)
@@ -1297,22 +1298,22 @@ static struct ast_sip_cli_formatter_entry *cli_formatter;
 
 struct ast_sip_transport_state *ast_sip_get_transport_state(const char *transport_id)
 {
-	struct internal_state * state = NULL;
+	struct internal_state *state = NULL;
+	struct ast_sip_transport_state *trans_state;
 
 	if (!transport_states) {
 		return NULL;
 	}
 
 	state = ao2_find(transport_states, transport_id, OBJ_SEARCH_KEY);
-	if (!state || !state->state) {
-		ao2_cleanup(state);
+	if (!state) {
 		return NULL;
 	}
 
-	ao2_ref(state->state, +1);
+	trans_state = ao2_bump(state->state);
 	ao2_ref(state, -1);
 
-	return state->state;
+	return trans_state;
 }
 
 static int populate_transport_states(void *obj, void *arg, int flags)