From: Alexei Gradinari <alex2grad@gmail.com>
Date: Thu, 5 Jul 2018 21:02:00 +0000 (-0400)
Subject: res_pjsip_pubsub: segfault in function publish_expire
X-Git-Tag: 15.6.0-rc1~104^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec0e185274daf947b94b91f8cacb9cbe913d37c7;p=thirdparty%2Fasterisk.git

res_pjsip_pubsub: segfault in function publish_expire

The function pubsub_on_rx_publish_request incorrectly uses
of AST_SCHED_REPLACE_UNREF.

The AST_SCHED_REPLACE_UNREF should unref old '_data'.

Because of this, there may be a double unref
of variable 'publication' when ast_sched_del is unsuccessful
that leads to use after free of the 'publication' in publish_expire.

ASTERISK-27956 #close

Change-Id: Ie0f0cfc7e036953d890b188656010b325a5cdc82
---

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 3462cb1cc9..1c1b6dc2bb 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -3359,7 +3359,7 @@ static pj_bool_t pubsub_on_rx_publish_request(pjsip_rx_data *rdata)
 			ao2_link(handler->publications, publication);
 
 			AST_SCHED_REPLACE_UNREF(publication->sched_id, sched, expires * 1000, publish_expire, publication,
-						ao2_ref(publication, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
+						ao2_ref(_data, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
 		} else {
 			AST_SCHED_DEL_UNREF(sched, publication->sched_id, ao2_ref(publication, -1));
 		}