From 96abe79ddf70900c74a3859dcbe9c2a9c04e5619 Mon Sep 17 00:00:00 2001
From: Alexei Gradinari <alex2grad@gmail.com>
Date: Thu, 5 Jul 2018 17:02:00 -0400
Subject: [PATCH] res_pjsip_pubsub: segfault in function publish_expire

The function pubsub_on_rx_publish_request incorrectly uses
of AST_SCHED_REPLACE_UNREF.

The AST_SCHED_REPLACE_UNREF should unref old '_data'.

Because of this, there may be a double unref
of variable 'publication' when ast_sched_del is unsuccessful
that leads to use after free of the 'publication' in publish_expire.

ASTERISK-27956 #close

Change-Id: Ie0f0cfc7e036953d890b188656010b325a5cdc82
---
 res/res_pjsip_pubsub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 587c533eff..8f3b2f5562 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -3354,7 +3354,7 @@ static pj_bool_t pubsub_on_rx_publish_request(pjsip_rx_data *rdata)
 			ao2_link(handler->publications, publication);
 
 			AST_SCHED_REPLACE_UNREF(publication->sched_id, sched, expires * 1000, publish_expire, publication,
-						ao2_ref(publication, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
+						ao2_ref(_data, -1), ao2_ref(publication, -1), ao2_ref(publication, +1));
 		} else {
 			AST_SCHED_DEL_UNREF(sched, publication->sched_id, ao2_ref(publication, -1));
 		}
-- 
GitLab