Update for 15.7.4

After receiving a 200 OK with a declined stream in response to a T.38
initiated re-invite Asterisk would crash when attempting to dereference
a NULL session media object.

This patch checks to make sure the session media object is not NULL before
attempting to use it.

ASTERISK-28495
patches:
  ast-2019-004.patch submitted by Alexei Gradinari (license 5691)

Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572

.version

@@ -1 +1 @@
-15.7.2
+15.7.4

ChangeLog

@@ -1,3 +1,58 @@
+2019-09-05 13:09 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 15.7.4 Released.
+
+2019-08-20 15:05 +0000 [b49f09a292]  Alexei Gradinari <alex2grad@gmail.com> (license 5691)
+
+	* AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media
+
+	  After receiving a 200 OK with a declined stream in response to a T.38
+	  initiated re-invite Asterisk would crash when attempting to dereference
+	  a NULL session media object.
+
+	  This patch checks to make sure the session media object is not NULL before
+	  attempting to use it.
+
+	  ASTERISK-28495
+	  patches:
+	    ast-2019-004.patch submitted by Alexei Gradinari (license 5691)
+
+	  Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572
+
+2019-07-11 19:22 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 15.7.3 Released.
+
+2019-06-12 13:03 +0000 [08cf3516c4]  George Joseph <gjoseph@digium.com>
+
+	* res_pjsip_messaging:  Check for body in in-dialog message
+
+	  We now check that a body exists and it has a length > 0 before
+	  attempting to process it.
+
+	  ASTERISK-28447
+	  Reported-by: Gil Richard
+
+	  Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
+
+2019-06-28 11:15 +0000 [74835b30c8]  Francesco Castellano <francesco.castellano@messagenet.it>
+
+	* chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+	  The chan_sip module performs a T.38 re-invite using a single media
+	  stream of udptl, and expects the SDP answer to be the same.
+
+	  If an SDP answer is received instead that contains an additional
+	  media stream with no joint codec a crash will occur as the code
+	  assumes that at least one joint codec will exist in this
+	  scenario.
+
+	  This change removes this assumption.
+
+	  ASTERISK-28465
+
+	  Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+
 2019-02-28 18:40 +0000  Asterisk Development Team <asteriskteam@digium.com>
 
 	* asterisk 15.7.2 Released.

asterisk-15.7.2-summary.html

@@ -1,37 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-15.7.2</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-15.7.2</h3><h3 align="center">Date: 2019-02-28</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
-<li><a href="#summary">Summary</a></li>
-<li><a href="#contributors">Contributors</a></li>
-<li><a href="#closed_issues">Closed Issues</a></li>
-<li><a href="#commits">Other Changes</a></li>
-<li><a href="#diffstat">Diffstat</a></li>
-</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
-<li><a href="http://downloads.asterisk.org/pub/security/AST-2019-001.html">AST-2019-001</a></li>
-</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-15.7.1.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
-<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
-<tr valign="top"><td width="33%">2 George Joseph <gjoseph@digium.com><br/></td><td width="33%"><td width="33%">1 Sotiris Ganouris <topgan1@gmail.com><br/>1 Sotiris Ganouris<br/></td></tr>
-</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-28260">ASTERISK-28260</a>: Asterisk segfault when rtp negotiation is wrong or fails<br/>Reported by: Sotiris Ganouris<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=e436aab179e6dd8a6ff9508289b7e081e5fdf032">[e436aab179]</a> George Joseph -- res_pjsip_sdp_rtp:  Fix return code from apply_negotiated_sdp_stream</li>
-</ul><br><hr><a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all changes that went into this release that did not reference a JIRA issue.</p><table width="100%" border="1">
-<tr><th>Revision</th><th>Author</th><th>Summary</th></tr>
-<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=735c0a39424a725aa70a6067d769cbd0b7531ccd">735c0a3942</a></td><td>George Joseph</td><td>CI: Update jenkinsfiles with new Gerrit URLs</td></tr>
-</table><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>asterisk-15.7.1-summary.html                           |   27
-asterisk-15.7.1-summary.txt                            |   97 --
-b/.version                                             |    2
-b/ChangeLog                                            |   22
-b/asterisk-15.7.0-rc1-summary.html                     |  269 +++++++
-b/asterisk-15.7.0-rc1-summary.txt                      |  598 +++++++++++++++++
-b/contrib/realtime/mssql/mssql_cdr.sql                 |    3
-b/contrib/realtime/mssql/mssql_config.sql              |    3
-b/contrib/realtime/mssql/mssql_voicemail.sql           |    3
-b/contrib/realtime/mysql/mysql_cdr.sql                 |    3
-b/contrib/realtime/mysql/mysql_config.sql              |    3
-b/contrib/realtime/mysql/mysql_voicemail.sql           |    3
-b/contrib/realtime/oracle/oracle_cdr.sql               |    3
-b/contrib/realtime/oracle/oracle_config.sql            |    3
-b/contrib/realtime/oracle/oracle_voicemail.sql         |    3
-b/contrib/realtime/postgresql/postgresql_cdr.sql       |    3
-b/contrib/realtime/postgresql/postgresql_config.sql    |    3
-b/contrib/realtime/postgresql/postgresql_voicemail.sql |    3
-b/res/res_pjsip_sdp_rtp.c                              |    2
-b/tests/CI/gates.jenkinsfile                           |    3
-20 files changed, 882 insertions(+), 174 deletions(-)</pre><br></html>

asterisk-15.7.2-summary.txt

@@ -1,121 +0,0 @@
-                                Release Summary
-
-                                asterisk-15.7.2
-
-                                Date: 2019-02-28
-
-                           <asteriskteam@digium.com>
-
-     ----------------------------------------------------------------------
-
-                               Table of Contents
-
-    1. Summary
-    2. Contributors
-    3. Closed Issues
-    4. Other Changes
-    5. Diffstat
-
-     ----------------------------------------------------------------------
-
-                                    Summary
-
-                                 [Back to Top]
-
-   This release has been made to address one or more security vulnerabilities
-   that have been identified. A security advisory document has been published
-   for each vulnerability that includes additional information. Users of
-   versions of Asterisk that are affected are strongly encouraged to review
-   the advisories and determine what action they should take to protect their
-   systems from these issues.
-
-   Security Advisories:
-
-     * AST-2019-001
-
-   The data in this summary reflects changes that have been made since the
-   previous release, asterisk-15.7.1.
-
-     ----------------------------------------------------------------------
-
-                                  Contributors
-
-                                 [Back to Top]
-
-   This table lists the people who have submitted code, those that have
-   tested patches, as well as those that reported issues on the issue tracker
-   that were resolved in this release. For coders, the number is how many of
-   their patches (of any size) were committed into this release. For testers,
-   the number is the number of times their name was listed as assisting with
-   testing a patch. Finally, for reporters, the number is the number of
-   issues that they reported that were affected by commits that went into
-   this release.
-
-   Coders                   Testers                  Reporters                
-   2 George Joseph                                   1 Sotiris Ganouris       
-                                                     1 Sotiris Ganouris       
-
-     ----------------------------------------------------------------------
-
-                                 Closed Issues
-
-                                 [Back to Top]
-
-   This is a list of all issues from the issue tracker that were closed by
-   changes that went into this release.
-
-  Security
-
-    Category: Channels/chan_pjsip
-
-   ASTERISK-28260: Asterisk segfault when rtp negotiation is wrong or fails
-   Reported by: Sotiris Ganouris
-     * [e436aab179] George Joseph -- res_pjsip_sdp_rtp: Fix return code from
-       apply_negotiated_sdp_stream
-
-     ----------------------------------------------------------------------
-
-                      Commits Not Associated with an Issue
-
-                                 [Back to Top]
-
-   This is a list of all changes that went into this release that did not
-   reference a JIRA issue.
-
-   +------------------------------------------------------------------------+
-   | Revision   | Author        | Summary                                   |
-   |------------+---------------+-------------------------------------------|
-   | 735c0a3942 | George Joseph | CI: Update jenkinsfiles with new Gerrit   |
-   |            |               | URLs                                      |
-   +------------------------------------------------------------------------+
-
-     ----------------------------------------------------------------------
-
-                                Diffstat Results
-
-                                 [Back to Top]
-
-   This is a summary of the changes to the source code that went into this
-   release that was generated using the diffstat utility.
-
- asterisk-15.7.1-summary.html                           |   27
- asterisk-15.7.1-summary.txt                            |   97 --
- b/.version                                             |    2
- b/ChangeLog                                            |   22
- b/asterisk-15.7.0-rc1-summary.html                     |  269 +++++++
- b/asterisk-15.7.0-rc1-summary.txt                      |  598 +++++++++++++++++
- b/contrib/realtime/mssql/mssql_cdr.sql                 |    3
- b/contrib/realtime/mssql/mssql_config.sql              |    3
- b/contrib/realtime/mssql/mssql_voicemail.sql           |    3
- b/contrib/realtime/mysql/mysql_cdr.sql                 |    3
- b/contrib/realtime/mysql/mysql_config.sql              |    3
- b/contrib/realtime/mysql/mysql_voicemail.sql           |    3
- b/contrib/realtime/oracle/oracle_cdr.sql               |    3
- b/contrib/realtime/oracle/oracle_config.sql            |    3
- b/contrib/realtime/oracle/oracle_voicemail.sql         |    3
- b/contrib/realtime/postgresql/postgresql_cdr.sql       |    3
- b/contrib/realtime/postgresql/postgresql_config.sql    |    3
- b/contrib/realtime/postgresql/postgresql_voicemail.sql |    3
- b/res/res_pjsip_sdp_rtp.c                              |    2
- b/tests/CI/gates.jenkinsfile                           |    3
- 20 files changed, 882 insertions(+), 174 deletions(-)

asterisk-15.7.4-summary.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-15.7.4</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-15.7.4</h3><h3 align="center">Date: 2019-09-05</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2019-004.html">AST-2019-004</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-15.7.3.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">1 Alexei Gradinari <alex2grad@gmail.com> (license 5691)<br/></td><td width="33%"><td width="33%">1 Alexei Gradinari <alex2grad@gmail.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Resources/res_pjsip_t38</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-28495">ASTERISK-28495</a>: res_pjsip_t38: 200 OK with SDP answer with declined stream causes crash<br/>Reported by: Alexei Gradinari<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=b49f09a2929ff77e0fc08ef02238b5bc917aab08">[b49f09a292]</a> Alexei Gradinari -- AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>res_pjsip_t38.c |   46 +++++++++++++++++++++++++---------------------
+1 file changed, 25 insertions(+), 21 deletions(-)</pre><br></html>

asterisk-15.7.4-summary.txt

@@ -0,0 +1,85 @@
+                                Release Summary
+
+                                asterisk-15.7.4
+
+                                Date: 2019-09-05
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2019-004
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-15.7.3.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                            Testers         Reporters                
+   1 Alexei Gradinari (license 5691)                 1 Alexei Gradinari       
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Resources/res_pjsip_t38
+
+   ASTERISK-28495: res_pjsip_t38: 200 OK with SDP answer with declined stream
+   causes crash
+   Reported by: Alexei Gradinari
+     * [b49f09a292] Alexei Gradinari -- AST-2019-004 - res_pjsip_t38.c: Add
+       NULL checks before using session media
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ res_pjsip_t38.c |   46 +++++++++++++++++++++++++---------------------
+ 1 file changed, 25 insertions(+), 21 deletions(-)

channels/chan_sip.c

@@ -10921,7 +10921,13 @@ static int process_sdp(struct sip_pvt *p, struct sip_request *req, int t38action
 			    ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
 	}
 
-	if (portno != -1 || vportno != -1 || tportno != -1) {
+	/* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
+	 * video is not being transported, thus we continue in this function further up if that is
+	 * the case. If we receive an SDP answer containing both a UDPTL stream and another media
+	 * stream however we need to check again to ensure that there is at least one joint codec
+	 * instead of assuming there is one.
+	 */
+	if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
 		/* We are now ready to change the sip session and RTP structures with the offered codecs, since
 		   they are acceptable */
 		unsigned int framing;

res/res_pjsip_messaging.c

@@ -91,10 +91,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
 	static const pj_str_t text = { "text", 4};
 	static const pj_str_t application = { "application", 11};
 
+	if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
+		return res;
+	}
+
 	/* We'll accept any text/ or application/ content type */
-	if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
-		&& (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
-			|| pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
+	if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+			|| pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
 		res = PJSIP_SC_OK;
 	} else if (rdata->msg_info.ctype
 		&& (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0

res/res_pjsip_t38.c

@@ -203,7 +203,6 @@ static int t38_automatic_reject(void *obj)
 {
 	RAII_VAR(struct ast_sip_session *, session, obj, ao2_cleanup);
 	RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(session, "t38"), ao2_cleanup);
-	struct ast_sip_session_media *session_media;
 
 	if (!datastore) {
 		return 0;
@@ -212,8 +211,7 @@ static int t38_automatic_reject(void *obj)
 	ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n",
 		session->channel ? ast_channel_name(session->channel) : "<gone>");
 
-	session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-	t38_change_state(session, session_media, datastore->data, T38_REJECTED);
+	t38_change_state(session, NULL, datastore->data, T38_REJECTED);
 	ast_sip_session_resume_reinvite(session);
 
 	return 0;
@@ -322,28 +320,37 @@ static int t38_reinvite_response_cb(struct ast_sip_session *session, pjsip_rx_da
 		int index;
 
 		session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-		t38_change_state(session, session_media, state, T38_ENABLED);
+		if (!session_media) {
+			ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
+					status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");
+		} else {
+			t38_change_state(session, session_media, state, T38_ENABLED);
 
-		/* Stop all the streams in the stored away active state, they'll go back to being active once
-		 * we reinvite back.
-		 */
-		for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
-			struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
+			/* Stop all the streams in the stored away active state, they'll go back to being active once
+			 * we reinvite back.
+			 */
+			for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
+				struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
 
-			if (session_media && session_media->handler && session_media->handler->stream_stop) {
-				session_media->handler->stream_stop(session_media);
+				if (session_media && session_media->handler && session_media->handler->stream_stop) {
+					session_media->handler->stream_stop(session_media);
+				}
 			}
+
+			return 0;
 		}
 	} else {
 		session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-		t38_change_state(session, session_media, state, T38_REJECTED);
-
-		/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
-		ast_sip_session_media_state_free(state->media_state);
-		state->media_state = NULL;
-		ast_sip_session_media_state_reset(session->pending_media_state);
 	}
 
+	/* If no session_media then response contained a declined stream, so disable */
+	t38_change_state(session, NULL, state, session_media ? T38_REJECTED : T38_DISABLED);
+
+	/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
+	ast_sip_session_media_state_free(state->media_state);
+	state->media_state = NULL;
+	ast_sip_session_media_state_reset(session->pending_media_state);
+
 	return 0;
 }
 
@@ -426,12 +433,10 @@ static int t38_interpret_parameters(void *obj)
 		/* Negotiation can not take place without a valid max_ifp value. */
 		if (!parameters->max_ifp) {
 			if (data->session->t38state == T38_PEER_REINVITE) {
-				session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-				t38_change_state(data->session, session_media, state, T38_REJECTED);
+				t38_change_state(data->session, NULL, state, T38_REJECTED);
 				ast_sip_session_resume_reinvite(data->session);
 			} else if (data->session->t38state == T38_ENABLED) {
-				session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-				t38_change_state(data->session, session_media, state, T38_DISABLED);
+				t38_change_state(data->session, NULL, state, T38_DISABLED);
 				ast_sip_session_refresh(data->session, NULL, NULL, NULL,
 					AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
 				state->media_state = NULL;
@@ -454,6 +459,11 @@ static int t38_interpret_parameters(void *obj)
 			state->our_parms.version = MIN(state->our_parms.version, state->their_parms.version);
 			state->our_parms.rate_management = state->their_parms.rate_management;
 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+			if (!session_media) {
+				ast_log(LOG_ERROR, "Failed to negotiate parameters for reinvite on channel '%s' (No pending session media).\n",
+					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+				break;
+			}
 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
 			t38_change_state(data->session, session_media, state, T38_ENABLED);
 			ast_sip_session_resume_reinvite(data->session);
@@ -468,8 +478,13 @@ static int t38_interpret_parameters(void *obj)
 			}
 			state->our_parms = *parameters;
 			session_media = media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+			if (!session_media) {
+				ast_log(LOG_ERROR, "Failed to negotiate parameters on channel '%s' (No default session media).\n",
+					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+				break;
+			}
 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
-			t38_change_state(data->session, session_media, state, T38_LOCAL_REINVITE);
+			t38_change_state(data->session, NULL, state, T38_LOCAL_REINVITE);
 			ast_sip_session_refresh(data->session, NULL, t38_reinvite_sdp_cb, t38_reinvite_response_cb,
 				AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, media_state);
 		}
@@ -478,12 +493,10 @@ static int t38_interpret_parameters(void *obj)
 	case AST_T38_REFUSED:
 	case AST_T38_REQUEST_TERMINATE:         /* Shutdown T38 */
 		if (data->session->t38state == T38_PEER_REINVITE) {
-			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-			t38_change_state(data->session, session_media, state, T38_REJECTED);
+			t38_change_state(data->session, NULL, state, T38_REJECTED);
 			ast_sip_session_resume_reinvite(data->session);
 		} else if (data->session->t38state == T38_ENABLED) {
-			session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-			t38_change_state(data->session, session_media, state, T38_DISABLED);
+			t38_change_state(data->session, NULL, state, T38_DISABLED);
 			ast_sip_session_refresh(data->session, NULL, NULL, NULL, AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
 			state->media_state = NULL;
 		}
@@ -493,6 +506,11 @@ static int t38_interpret_parameters(void *obj)
 
 		if (data->session->t38state == T38_PEER_REINVITE) {
 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+			if (!session_media) {
+				ast_log(LOG_ERROR, "Failed to request parameters for reinvite on channel '%s' (No pending session media).\n",
+					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+				break;
+			}
 			parameters.max_ifp = ast_udptl_get_far_max_ifp(session_media->udptl);
 			parameters.request_response = AST_T38_REQUEST_NEGOTIATE;
 			ast_queue_control_data(data->session->channel, AST_CONTROL_T38_PARAMETERS, &parameters, sizeof(parameters));
@@ -788,7 +806,7 @@ static int negotiate_incoming_sdp_stream(struct ast_sip_session *session,
 
 	if ((session->t38state == T38_REJECTED) || (session->t38state == T38_DISABLED)) {
 		ast_debug(3, "Declining; T.38 state is rejected or declined\n");
-		t38_change_state(session, session_media, state, T38_DISABLED);
+		t38_change_state(session, NULL, state, T38_DISABLED);
 		return 0;
 	}