res_pjsip_outbound_publish: Ensure publish is valid when explicitly destroying.

Recent changes to res_pjsip_outbound_publish have introduced a race condition at shutdown where an outbound publish may be shutdown twice. In this case the first succeeds as a result of the unpublish. In the second invocation since it's been unpublished a task is queued to just destroy the client. This task holds no ref to the publish and as a result the publish may be destroyed before the task is run, causing a crash. This explicit destruction task now holds a reference to the publish to ensure it remains valid. ASTERISK-26053 #close Change-Id: I10789b98add3e50292ee3b33a55a1d9061cec94b
2016-05-24 07:28:17 -03:00 · 2016-05-24 07:28:17 -03:00 · 070eab6ed2
parent 56d5af4584
commit 070eab6ed2
1 changed files with 5 additions and 1 deletions
--- a/res/res_pjsip_outbound_publish.c
+++ b/res/res_pjsip_outbound_publish.c
@ -1125,6 +1125,8 @@ static int explicit_publish_destroy(void *data)
 		ao2_ref(publisher, -1);
 	}

+	ao2_ref(publisher, -1);
+
 	return 0;
 }

@ -1140,7 +1142,9 @@ static int cancel_and_unpublish(void *obj, void *arg, int flags)
 		/* If the publisher was never started, there's nothing to unpublish, so just
 		 * destroy the publication and remove its reference to the publisher.
 		 */
-		ast_sip_push_task(NULL, explicit_publish_destroy, publisher);
+		if (ast_sip_push_task(NULL, explicit_publish_destroy, ao2_bump(publisher))) {
+			ao2_ref(publisher, -1);
+		}
 		return 0;
 	}