From 8a7dd2f40880f988ea017294ad8001bf0e1825b5 Mon Sep 17 00:00:00 2001
From: Mark Michelson <mmichelson@digium.com>
Date: Fri, 15 Feb 2013 18:51:40 +0000
Subject: [PATCH] Fix a crash that occurred when a BYE was received on a
 replaced dialog.

Reference counting for the channel and its tech_pvt got messed up at
some point between 1.8 and 11. The result was that if a BYE for a dialog
that had been replaced (via an INVITE with Replaces) was received, Asterisk
would crash due to trying to access data on a channel that was no longer there.

The fix I introduced is to remove code that both unrefs the sip_pvt and sets
the channel's tech_pvt to NULL when an INVITE with Replaces is handled. This
way when a BYE is received, the tech_pvt will be non-NULL and so the BYE can
be processed and not cause a crash.

(closes issue ASTERISK-20929)
reported by Kristopher Lalletti
patches:
	ASTERISK-20929.patch uploaded by Mark Michelson (License #5049)
........

Merged revisions 381566 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@381568 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 channels/chan_sip.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index ab30761af5..af79f4b683 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -24815,9 +24815,6 @@ static int handle_invite_replaces(struct sip_pvt *p, struct sip_request *req, st
 	ast_setstate(c, AST_STATE_DOWN);
 	ast_channel_unlock(c);
 
-	/* The call should be down with no ast_channel, so hang it up */
-	ast_channel_tech_pvt_set(c, dialog_unref(ast_channel_tech_pvt(c), "unref dialog c->tech_pvt"));
-
 	/* c and c's tech pvt must be unlocked at this point for ast_hangup */
 	ast_hangup(c);
 	/* this indicates to handle_request_do that the owner channel has already been unlocked */
-- 
GitLab