Commit 4ad78be5 authored by Sébastien Blin's avatar Sébastien Blin Committed by Adrien Béraud

sipcall: avoid use after free on the invite session

pjsip uses a counter to delete objects when the ref counter is equals to 0.
This means that our unique_ptr on the invite will be invalid if resources are
already freed by pjproject. To avoid this, we need to increment and decrement
the counter when we respectively create and destroy our unique_ptr on the
invite session

Change-Id: Ida5c687004b91100f1c10f83e32c1a40264c775c
parent 957cc3f2
......@@ -1329,7 +1329,10 @@ SIPCall::InvSessionDeleter::operator ()(pjsip_inv_session* inv) const noexcept
{
// prevent this from getting accessed in callbacks
// JAMI_WARN: this is not thread-safe!
if (!inv) return;
inv->mod_data[getSIPVoIPLink()->getModId()] = nullptr;
// NOTE: the counter is incremented by sipvoiplink (transaction_request_cb)
pjsip_inv_dec_ref(inv);
}
bool
......
......@@ -385,6 +385,11 @@ transaction_request_cb(pjsip_rx_data *rdata)
pjsip_dlg_dec_lock(dialog);
inv->mod_data[mod_ua_.id] = call.get();
// NOTE: The invitation counter is managed by pjsip. If that counter goes down to zero
// the invite will be destroyed, and the unique_ptr will point freed datas.
// To avoid this, we increment the ref counter and let our unique_ptr manage
// when the invite will be freed
pjsip_inv_add_ref(inv);
call->inv.reset(inv);
// Check whether Replaces header is present in the request and process accordingly.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment