From 070eab6ed26b1bc287618f0372b8b4489f7479f3 Mon Sep 17 00:00:00 2001
From: Joshua Colp <jcolp@digium.com>
Date: Tue, 24 May 2016 07:28:17 -0300
Subject: [PATCH] res_pjsip_outbound_publish: Ensure publish is valid when
 explicitly destroying.

Recent changes to res_pjsip_outbound_publish have introduced a
race condition at shutdown where an outbound publish may be shutdown
twice. In this case the first succeeds as a result of the unpublish.
In the second invocation since it's been unpublished a task is
queued to just destroy the client. This task holds no ref to the
publish and as a result the publish may be destroyed before the
task is run, causing a crash.

This explicit destruction task now holds a reference to the publish
to ensure it remains valid.

ASTERISK-26053 #close

Change-Id: I10789b98add3e50292ee3b33a55a1d9061cec94b
---
 res/res_pjsip_outbound_publish.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/res/res_pjsip_outbound_publish.c b/res/res_pjsip_outbound_publish.c
index 1c3b0c6444..53e15a0a48 100644
--- a/res/res_pjsip_outbound_publish.c
+++ b/res/res_pjsip_outbound_publish.c
@@ -1125,6 +1125,8 @@ static int explicit_publish_destroy(void *data)
 		ao2_ref(publisher, -1);
 	}
 
+	ao2_ref(publisher, -1);
+
 	return 0;
 }
 
@@ -1140,7 +1142,9 @@ static int cancel_and_unpublish(void *obj, void *arg, int flags)
 		/* If the publisher was never started, there's nothing to unpublish, so just
 		 * destroy the publication and remove its reference to the publisher.
 		 */
-		ast_sip_push_task(NULL, explicit_publish_destroy, publisher);
+		if (ast_sip_push_task(NULL, explicit_publish_destroy, ao2_bump(publisher))) {
+			ao2_ref(publisher, -1);
+		}
 		return 0;
 	}
 
-- 
GitLab