res_pjsip_outbound_publish: Ensure publish is valid when explicitly destroying.
authorJoshua Colp <jcolp@digium.com>
Tue, 24 May 2016 10:28:17 +0000 (07:28 -0300)
committerJoshua Colp <jcolp@digium.com>
Tue, 24 May 2016 14:08:37 +0000 (11:08 -0300)
Recent changes to res_pjsip_outbound_publish have introduced a
race condition at shutdown where an outbound publish may be shutdown
twice. In this case the first succeeds as a result of the unpublish.
In the second invocation since it's been unpublished a task is
queued to just destroy the client. This task holds no ref to the
publish and as a result the publish may be destroyed before the
task is run, causing a crash.

This explicit destruction task now holds a reference to the publish
to ensure it remains valid.

ASTERISK-26053 #close

Change-Id: I10789b98add3e50292ee3b33a55a1d9061cec94b

res/res_pjsip_outbound_publish.c

index 1c3b0c6..53e15a0 100644 (file)
@@ -1125,6 +1125,8 @@ static int explicit_publish_destroy(void *data)
                ao2_ref(publisher, -1);
        }
 
+       ao2_ref(publisher, -1);
+
        return 0;
 }
 
@@ -1140,7 +1142,9 @@ static int cancel_and_unpublish(void *obj, void *arg, int flags)
                /* If the publisher was never started, there's nothing to unpublish, so just
                 * destroy the publication and remove its reference to the publisher.
                 */
-               ast_sip_push_task(NULL, explicit_publish_destroy, publisher);
+               if (ast_sip_push_task(NULL, explicit_publish_destroy, ao2_bump(publisher))) {
+                       ao2_ref(publisher, -1);
+               }
                return 0;
        }