mirror of
https://github.com/asterisk/asterisk.git
synced 2025-10-31 02:37:10 +00:00
f00525a6f6
This patch fixes the issue in pjsip_tx_data_dec_ref() when tx_data_destroy can be called more than once, and checks if invalid value (e.g. NULL) is passed to. This patch updates array limit checks and docs in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability(). Change-Id: I4c7a132b9664afaecbd6bf5ea4c951e43e273e40
25 lines
857 B
Diff
25 lines
857 B
Diff
This patch fixes the issue in pjsip_tx_data_dec_ref()
|
|
when tx_data_destroy can be called more than once,
|
|
and checks if invalid value (e.g. NULL) is passed to.
|
|
|
|
Index: pjsip/src/pjsip/sip_transport.c
|
|
===================================================================
|
|
--- a/pjsip/src/pjsip/sip_transport.c (revision 5399)
|
|
+++ b/pjsip/src/pjsip/sip_transport.c (revision 5400)
|
|
@@ -491,8 +491,13 @@
|
|
*/
|
|
PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
|
|
{
|
|
- pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
|
|
- if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
|
|
+ pj_atomic_value_t ref_cnt;
|
|
+
|
|
+ PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
|
|
+
|
|
+ ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
|
|
+ pj_assert( ref_cnt >= 0);
|
|
+ if (ref_cnt == 0) {
|
|
tx_data_destroy(tdata);
|
|
return PJSIP_EBUFDESTROYED;
|
|
} else {
|