res_pjsip_refer: Fix crash from a REFER and BYE collision.

Analyzing a one-off crash on a busy system showed that processing a REFER
request had a NULL session channel pointer.  The only way I can think of
that could cause this is if an outgoing BYE transaction overlapped the
incoming REFER transaction in a collision.  Asterisk sends a BYE while the
phone sends a REFER to complete an attended transfer.

* Made check the session channel pointer before processing an incoming
REFER request in res_pjsip_refer.

* Fixed similar crash potential for res_pjsip supplement incoming request
processing for res_pjsip_sdp_rtp INFO, res_pjsip_caller_id INVITE/UPDATE,
res_pjsip_messaging MESSAGE, and res_pjsip_send_to_voicemail REFER
messages.

* Made res_pjsip_messaging respond to a message body too large with a 413
instead of ignoring it.

ASTERISK-24700 #close
Reported by: Zane Conkle

Review: https://reviewboard.asterisk.org/r/4417/


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@431898 65c4cc65-6c06-0410-ace0-fbb531ad65f3

res/res_pjsip_sdp_rtp.c

@@ -1268,15 +1268,18 @@ static struct ast_sip_session_sdp_handler video_sdp_handler = {
 
 static int video_info_incoming_request(struct ast_sip_session *session, struct pjsip_rx_data *rdata)
 {
-	struct pjsip_transaction *tsx = pjsip_rdata_get_tsx(rdata);
+	struct pjsip_transaction *tsx;
 	pjsip_tx_data *tdata;
 
-	if (!ast_sip_is_content_type(&rdata->msg_info.msg->body->content_type,
-				     "application",
-				     "media_control+xml")) {
+	if (!session->channel
+		|| !ast_sip_is_content_type(&rdata->msg_info.msg->body->content_type,
+			"application",
+			"media_control+xml")) {
 		return 0;
 	}
 
+	tsx = pjsip_rdata_get_tsx(rdata);
+
 	ast_queue_control(session->channel, AST_CONTROL_VIDUPDATE);
 
 	if (pjsip_dlg_create_response(session->inv_session->dlg, rdata, 200, NULL, &tdata) == PJ_SUCCESS) {