Resolve crash in subscribing for MWI notifications

ASTOBJ_UNREF sets the variable to NULL after unreffing it, so the variable
should definitely not be used after that. To solve this in the two cases
that affect subscribing for MWI notifications, we instead save the ref
locally, and unref them in the error conditions.

(closes issue ASTERISK-19827)
Reported by: B. R
Review: https://reviewboard.asterisk.org/r/1940/
........

Merged revisions 367266 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 367267 from http://svn.asterisk.org/svn/asterisk/branches/10

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@367274 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index a84adeb..665daec 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -12926,13 +12926,14 @@ static int __sip_subscribe_mwi_do(struct sip_subscription_mwi *mwi)
        /* If we have no DNS manager let's do a lookup */
        if (!mwi->dnsmgr) {
                char transport[MAXHOSTNAMELEN];
+               struct sip_subscription_mwi *saved;
                snprintf(transport, sizeof(transport), "_%s._%s", get_srv_service(mwi->transport), get_srv_protocol(mwi->transport));
 
                mwi->us.ss.ss_family = get_address_family_filter(&bindaddr); /* Filter address family */
-               ASTOBJ_REF(mwi); /* Add a ref for storing the mwi on the dnsmgr for updates */
-               ast_dnsmgr_lookup_cb(mwi->hostname, &mwi->us, &mwi->dnsmgr, sip_cfg.srvlookup ? transport : NULL, on_dns_update_mwi, mwi);
+               saved = ASTOBJ_REF(mwi);
+               ast_dnsmgr_lookup_cb(mwi->hostname, &mwi->us, &mwi->dnsmgr, sip_cfg.srvlookup ? transport : NULL, on_dns_update_mwi, saved);
                if (!mwi->dnsmgr) {
-                       ASTOBJ_UNREF(mwi, sip_subscribe_mwi_destroy); /* dnsmgr disabled, remove reference */
+                       ASTOBJ_UNREF(saved, sip_subscribe_mwi_destroy); /* dnsmgr disabled, remove reference */
                }
        }
 
@@ -30932,10 +30933,12 @@ static void sip_send_all_registers(void)
 static void sip_send_all_mwi_subscriptions(void)
 {
        ASTOBJ_CONTAINER_TRAVERSE(&submwil, 1, do {
+               struct sip_subscription_mwi *saved;
                ASTOBJ_WRLOCK(iterator);
                AST_SCHED_DEL(sched, iterator->resub);
-               if ((iterator->resub = ast_sched_add(sched, 1, sip_subscribe_mwi_do, ASTOBJ_REF(iterator))) < 0) {
-                       ASTOBJ_UNREF(iterator, sip_subscribe_mwi_destroy);
+               saved = ASTOBJ_REF(iterator);
+               if ((iterator->resub = ast_sched_add(sched, 1, sip_subscribe_mwi_do, saved)) < 0) {
+                       ASTOBJ_UNREF(saved, sip_subscribe_mwi_destroy);
                }
                ASTOBJ_UNLOCK(iterator);
        } while (0));