From 22eb1b48c03037a823a25d1f4ca86077a432c30a Mon Sep 17 00:00:00 2001
From: Mark Michelson <mmichelson@digium.com>
Date: Mon, 25 Jan 2016 16:51:25 -0600
Subject: [PATCH] res_pjsip_pubsub: Prevent crash from AMI command on freed
 subscription.

A test recently uncovered that running an ill-timed AMI command to show
inbound subscriptions could cause a crash since Asterisk will try to
operate on a freed subscription.

The fix for this is to remove the subscription tree from the list of
subscriptions at the time that we are sending our final NOTIFY request
out. This way, as the subscription is in the process of dying, it is
inaccessible from AMI.

Change-Id: Ic0239003d8d73e04c47c12dd2a7e23867e5b5b23
(cherry picked from commit b073244c511f9634de57ea401ab9dbebcf2390e8)
---
 res/res_pjsip_pubsub.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 8d3ea6f5cf..fd0119004f 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -1197,8 +1197,6 @@ static void subscription_tree_destructor(void *obj)
 
 	ast_debug(3, "Destroying subscription tree %p\n", sub_tree);
 
-	remove_subscription(sub_tree);
-
 	ao2_cleanup(sub_tree->endpoint);
 
 	destroy_subscriptions(sub_tree->root);
@@ -3277,6 +3275,7 @@ static void pubsub_on_evsub_state(pjsip_evsub *evsub, pjsip_event *event)
 		}
 	}
 
+	remove_subscription(sub_tree);
 	pjsip_evsub_set_mod_data(evsub, pubsub_module.id, NULL);
 	sub_tree->evsub = NULL;
 	ast_sip_dialog_set_serializer(sub_tree->dlg, NULL);
-- 
GitLab