[svn-commits] mmichelson: branch mmichelson/rls-rlmi r419908 - /team/mmichelson/rls-rlmi/res/

SVN commits to the Digium repositories svn-commits at lists.digium.com
Fri Aug 1 14:40:28 CDT 2014 

Author: mmichelson
Date: Fri Aug  1 14:40:24 2014
New Revision: 419908

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=419908
Log:
Fix situation where we were writing to freed memory.

Sending a NOTIFY that terminates a subscription results in the
subscription tree's refcount being decremented. Therefore, in
a situation when sending a NOTIFY that may terminate a subscription,
bumping the refcount is necessary prior to sending the NOTIFY.

This was already actually being done, but its scope of the reference
bump was too narrow.


Modified:
    team/mmichelson/rls-rlmi/res/res_pjsip_pubsub.c

Modified: team/mmichelson/rls-rlmi/res/res_pjsip_pubsub.c
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/rls-rlmi/res/res_pjsip_pubsub.c?view=diff&rev=419908&r1=419907&r2=419908
==============================================================================
--- team/mmichelson/rls-rlmi/res/res_pjsip_pubsub.c (original)
+++ team/mmichelson/rls-rlmi/res/res_pjsip_pubsub.c Fri Aug  1 14:40:24 2014
@@ -1464,7 +1464,6 @@
 #endif
 	int res;
 
-	ao2_ref(sub_tree, +1);
 	res = pjsip_evsub_send_request(sub_tree->evsub, tdata) == PJ_SUCCESS ? 0 : -1;
 
 	subscription_persistence_update(sub_tree, NULL);
@@ -1474,7 +1473,6 @@
 		"Endpoint: %s\r\n",
 		pjsip_evsub_get_state_name(sub_tree->evsub),
 		ast_sorcery_object_get_id(endpoint));
-	ao2_cleanup(sub_tree);
 
 	return res;
 }
@@ -2886,6 +2884,14 @@
 		return;
 	}
 
+	/* If sending a NOTIFY to terminate a subscription, then pubsub_on_evsub_state()
+	 * will be called when we send the NOTIFY, and that will result in dropping the
+	 * refcount of sub_tree by one, and possibly destroying the sub_tree. We need to
+	 * hold a reference to the sub_tree until this function returns so that we don't
+	 * try to read from or write to freed memory by accident
+	 */
+	ao2_ref(sub_tree, +1);
+
 	if (pjsip_evsub_get_state(evsub) == PJSIP_EVSUB_STATE_TERMINATED) {
 		set_state_terminated(sub_tree->root);
 	}
@@ -2897,6 +2903,8 @@
 	if (sub_tree->is_list) {
 		pj_list_insert_before(res_hdr, create_require_eventlist(rdata->tp_info.pool));
 	}
+
+	ao2_ref(sub_tree, -1);
 }
 
 static void pubsub_on_rx_notify(pjsip_evsub *evsub, pjsip_rx_data *rdata, int *p_st_code,

More information about the svn-commits mailing list