From ad395080957b33a17f6cfe2c83697bebef286c25 Mon Sep 17 00:00:00 2001
From: Mark Michelson <mmichelson@digium.com>
Date: Mon, 28 Sep 2015 16:36:25 -0500
Subject: [PATCH] res_pjsip_pubsub: Prevent crashes on final NOTIFY.

The SIP dialog is removed from the subscription tree when the final
NOTIFY is sent. However, after the final NOTIFY is sent, the persistence
update function still attempts to access the cseq from the dialog,
resulting in a crash.

This fix removes the subscription persistence at the same time that the
dialog is removed from the subscription tree. This way, there is no
attempt to update persistence when the subscription is being destroyed.

Change-Id: Ibb46977a6cef9c51dc95f40f43446e3d11eed5bb
---
 res/res_pjsip_pubsub.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index bb2f243952..2391c883a3 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -598,6 +598,7 @@ static void subscription_persistence_remove(struct sip_subscription_tree *sub_tr
 
 	ast_sorcery_delete(ast_sip_get_sorcery(), sub_tree->persistence);
 	ao2_ref(sub_tree->persistence, -1);
+	sub_tree->persistence = NULL;
 }
 
 
@@ -1185,7 +1186,6 @@ static void subscription_tree_destructor(void *obj)
 
 	remove_subscription(sub_tree);
 
-	subscription_persistence_remove(sub_tree);
 	ao2_cleanup(sub_tree->endpoint);
 
 	destroy_subscriptions(sub_tree->root);
@@ -3289,6 +3289,7 @@ static void pubsub_on_evsub_state(pjsip_evsub *evsub, pjsip_event *event)
 	ast_sip_dialog_set_serializer(sub_tree->dlg, NULL);
 	ast_sip_dialog_set_endpoint(sub_tree->dlg, NULL);
 	sub_tree->dlg = NULL;
+	subscription_persistence_remove(sub_tree);
 	shutdown_subscriptions(sub_tree->root);
 
 	/* Remove evsub's reference to the sub_tree */
-- 
GitLab