[asterisk-commits] bebuild: tag 12.7.1 r428444 - in /tags/12.7.1: ./ res/

[SVN commits to the Asterisk project]

Author: bebuild
Date: Thu Nov 20 11:06:20 2014
New Revision: 428444

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428444
Log:
Merge r428304 for AST-2014-016

Modified:
    tags/12.7.1/   (props changed)
    tags/12.7.1/ChangeLog
    tags/12.7.1/res/res_pjsip_refer.c

Propchange: tags/12.7.1/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Nov 20 11:06:20 2014
@@ -1,1 +1,1 @@
-/branches/12:427382,428301,428333,428409,428422
+/branches/12:427382,428301,428304,428333,428409,428422

Modified: tags/12.7.1/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/tags/12.7.1/ChangeLog?view=diff&rev=428444&r1=428443&r2=428444
==============================================================================
--- tags/12.7.1/ChangeLog (original)
+++ tags/12.7.1/ChangeLog Thu Nov 20 11:06:20 2014
@@ -36,6 +36,22 @@
 
 	  ASTERISK-24471 #close
 	  Reported by: yaron nahum
+
+	* AST-2014-016: Fix crash when receiving an in-dialog INVITE with
+	  Replaces in res_pjsip_refer.
+
+	  The implementation of INVITE with Replaces in res_pjsip_refer did not
+	  expect them to occur in-dialog. As a result it would incorrectly
+	  attempt to hang up a channel it thought was under its control. In
+	  reality the channel would be under the control of another thread.
+	  When the other thread accessed the channel it would be accessing
+	  freed memory and could crash.
+
+	  This change makes res_pjsip_refer not act on an in-dialog INVITE
+	  with Replaces.
+
+	  ASTERISK-24528 #close
+	  Reported by: Joshua Colp
 
 	* AST-2014-018 - func_db: DB Dialplan function permission escalation
 	  via AMI.

Modified: tags/12.7.1/res/res_pjsip_refer.c
URL: http://svnview.digium.com/svn/asterisk/tags/12.7.1/res/res_pjsip_refer.c?view=diff&rev=428444&r1=428443&r2=428444
==============================================================================
--- tags/12.7.1/res/res_pjsip_refer.c (original)
+++ tags/12.7.1/res/res_pjsip_refer.c Thu Nov 20 11:06:20 2014
@@ -785,6 +785,12 @@
 	other_session = ast_sip_dialog_get_session(other_dlg);
 	pjsip_dlg_dec_lock(other_dlg);
 
+	/* Don't accept an in-dialog INVITE with Replaces as it does not make much sense */
+	if (session->inv_session->dlg->state == PJSIP_DIALOG_STATE_ESTABLISHED) {
+		response = 488;
+		goto end;
+	}
+
 	if (!other_session) {
 		response = 481;
 		ast_debug(3, "INVITE with Replaces received on channel '%s' from endpoint '%s', but requested session does not exist\n",
@@ -831,14 +837,20 @@
 
 end:
 	if (response) {
-		ast_debug(3, "INVITE with Replaces failed on channel '%s', sending response of '%d'\n",
-			ast_channel_name(session->channel), response);
-		session->defer_terminate = 1;
-		ast_hangup(session->channel);
-		session->channel = NULL;
-
-		if (pjsip_inv_end_session(session->inv_session, response, NULL, &packet) == PJ_SUCCESS) {
-			ast_sip_session_send_response(session, packet);
+		if (session->inv_session->dlg->state != PJSIP_DIALOG_STATE_ESTABLISHED) {
+			ast_debug(3, "INVITE with Replaces failed on channel '%s', sending response of '%d'\n",
+				ast_channel_name(session->channel), response);
+			session->defer_terminate = 1;
+			ast_hangup(session->channel);
+			session->channel = NULL;
+
+			if (pjsip_inv_end_session(session->inv_session, response, NULL, &packet) == PJ_SUCCESS) {
+				ast_sip_session_send_response(session, packet);
+			}
+		} else {
+			ast_debug(3, "INVITE with Replaces in-dialog on channel '%s', hanging up\n",
+				ast_channel_name(session->channel));
+			ast_queue_hangup(session->channel);
 		}
 	}