[Asterisk-code-review] PJSIP FAX: Fix T.38 automatic reject timer NULL channel poin... (asterisk[master])

Joshua Colp asteriskteam at digium.com
Tue Jul 7 17:20:54 CDT 2015


Joshua Colp has submitted this change and it was merged.

Change subject: PJSIP FAX: Fix T.38 automatic reject timer NULL channel pointer dereferences.
......................................................................


PJSIP FAX: Fix T.38 automatic reject timer NULL channel pointer dereferences.

When a caller calls a FAX number and then hangs up right after the call is
answered then the T.38 re-INVITE automatic reject timer may still be
running after the channel goes away.

* Added session NULL channel checks on the code paths that get executed by
t38_automatic_reject() to prevent a crash when the T.38 re-INVITE
automatic reject timer expires.

ASTERISK-25168
Reported by: Carl Fortin

Change-Id: I07b6cd23815aedce5044f8f32543779e2f7a2403
---
M res/res_pjsip_session.c
M res/res_pjsip_t38.c
2 files changed, 14 insertions(+), 7 deletions(-)

Approvals:
  Mark Michelson: Looks good to me, but someone else must approve
  Anonymous Coward #1000019: Verified
  Joshua Colp: Looks good to me, approved



diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index c729594..84c343d 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -1039,7 +1039,10 @@
 		return;
 	}
 
-	pjsip_endpt_process_rx_data(ast_sip_get_pjsip_endpoint(), session->deferred_reinvite, NULL, NULL);
+	if (session->channel) {
+		pjsip_endpt_process_rx_data(ast_sip_get_pjsip_endpoint(),
+			session->deferred_reinvite, NULL, NULL);
+	}
 	pjsip_rx_data_free_cloned(session->deferred_reinvite);
 	session->deferred_reinvite = NULL;
 }
diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c
index addfd58..d5052d9 100644
--- a/res/res_pjsip_t38.c
+++ b/res/res_pjsip_t38.c
@@ -135,10 +135,13 @@
 	}
 
 	session->t38state = new_state;
-	ast_debug(2, "T.38 state changed to '%u' from '%u' on channel '%s'\n", new_state, old_state, ast_channel_name(session->channel));
+	ast_debug(2, "T.38 state changed to '%u' from '%u' on channel '%s'\n",
+		new_state, old_state,
+		session->channel ? ast_channel_name(session->channel) : "<gone>");
 
 	if (pj_timer_heap_cancel(pjsip_endpt_get_timer_heap(ast_sip_get_pjsip_endpoint()), &state->timer)) {
-		ast_debug(2, "Automatic T.38 rejection on channel '%s' terminated\n", ast_channel_name(session->channel));
+		ast_debug(2, "Automatic T.38 rejection on channel '%s' terminated\n",
+			session->channel ? ast_channel_name(session->channel) : "<gone>");
 		ao2_ref(session, -1);
 	}
 
@@ -198,7 +201,8 @@
 		return 0;
 	}
 
-	ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n", ast_channel_name(session->channel));
+	ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n",
+		session->channel ? ast_channel_name(session->channel) : "<gone>");
 
 	t38_change_state(session, session_media, datastore->data, T38_REJECTED);
 	ast_sip_session_resume_reinvite(session);
@@ -227,9 +231,9 @@
 		return datastore->data;
 	}
 
-	if (!(datastore = ast_sip_session_alloc_datastore(&t38_datastore, "t38")) ||
-		!(datastore->data = ast_calloc(1, sizeof(struct t38_state))) ||
-		ast_sip_session_add_datastore(session, datastore)) {
+	if (!(datastore = ast_sip_session_alloc_datastore(&t38_datastore, "t38"))
+		|| !(datastore->data = ast_calloc(1, sizeof(struct t38_state)))
+		|| ast_sip_session_add_datastore(session, datastore)) {
 		return NULL;
 	}
 

-- 
To view, visit https://gerrit.asterisk.org/804
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I07b6cd23815aedce5044f8f32543779e2f7a2403
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Richard Mudgett <rmudgett at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>



More information about the asterisk-code-review mailing list