kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-12 15:45:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

res_pjsip_pubsub: segfault in function publish_expire

Browse Source 
The function pubsub_on_rx_publish_request incorrectly uses
of AST_SCHED_REPLACE_UNREF.

The AST_SCHED_REPLACE_UNREF should unref old '_data'.

Because of this, there may be a double unref
of variable 'publication' when ast_sched_del is unsuccessful
that leads to use after free of the 'publication' in publish_expire.

ASTERISK-27956 #close

Change-Id: Ie0f0cfc7e036953d890b188656010b325a5cdc82
This commit is contained in:
Alexei Gradinari
2018-07-05 17:02:00 -04:00
parent ee3cbce5ba
commit 96abe79ddf
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
res/res_pjsip_pubsub.c
View File

@@ -3354,7 +3354,7 @@ static pj_bool_t pubsub_on_rx_publish_request(pjsip_rx_data *rdata)
ao2_link(handler->publications, publication);
AST_SCHED_REPLACE_UNREF(publication->sched_id, sched, expires * 1000, publish_expire, publication,
ao2_ref(publication, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
ao2_ref(_data, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
} else {
AST_SCHED_DEL_UNREF(sched, publication->sched_id, ao2_ref(publication, -1));
}