res_pjsip_pubsub: potential crash on timeout

What seems to be happening is if a subscription has been terminated and the subscription timeout/expires is less than the time it takes for all pending transactions (currently on the subscription) to end then the subscription timer will not have been canceled yet and sub will be null. Since the subscription has already been canceled nothing needs to be done so a null check in the asterisk code is sufficient in working around this problem. (closes issue ASTERISK-23129) Reported by: Dan Jenkins ........ Merged revisions 406847 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@406848 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-09-06 04:30:28 +00:00 · 2014-01-28 23:40:28 +00:00
parent ade5c8a2a4
commit 565198b44b
1 changed files with 9 additions and 0 deletions
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -1234,6 +1234,15 @@ static void pubsub_on_server_timeout(pjsip_evsub *evsub)
 {
 	struct ast_sip_subscription *sub = pjsip_evsub_get_mod_data(evsub, pubsub_module.id);

+	if (!sub) {
+		/* if a subscription has been terminated and the subscription
+		   timeout/expires is less than the time it takes for all pending
+		   transactions to end then the subscription timer will not have
+		   been canceled yet and sub will be null, so do nothing since
+		   the subscription has already been terminated. */
+		return;
+	}
+
 	ao2_ref(sub, +1);
 	ast_sip_push_task(sub->serializer, serialized_pubsub_on_server_timeout, sub);
 }