From f2c14f00b8ae4cd1fa809db705d4c368f1cfed1a Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Fri, 18 Aug 2017 17:37:12 -0500
Subject: [PATCH] res_pjsip_session.c: Fix crash when declining an active
 stream.

If a previously active stream is declined we could crash because the
channel's thread is still using the stream while we are updating the
topology in the serializer thread.

* Defer removing any declined stream's handler until we have blocked the
channel's thread with the channel lock.

ASTERISK-27212

Change-Id: I50e1d3ef26f8e41948f4c411ee329aa3b960a420
---
 res/res_pjsip_session.c | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index c4b0041a12..b6b8a21ac3 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -784,12 +784,11 @@ static int handle_negotiated_sdp(struct ast_sip_session *session, const pjmedia_
 		 * we remove it as a result of the stream limit being reached.
 		 */
 		if (ast_stream_get_state(stream) == AST_STREAM_STATE_REMOVED) {
-			/* This stream is no longer being used so release any resources the handler
-			 * may have on it.
+			/*
+			 * Defer removing the handler until we are ready to activate
+			 * the new topology.  The channel's thread may still be using
+			 * the stream and we could crash before we are ready.
 			 */
-			if (session_media->handler) {
-				session_media_set_handler(session_media, NULL);
-			}
 			continue;
 		}
 
@@ -801,6 +800,32 @@ static int handle_negotiated_sdp(struct ast_sip_session *session, const pjmedia_
 	/* Apply the pending media state to the channel and make it active */
 	ast_channel_lock(session->channel);
 
+	/* Now update the stream handler for any declined/removed streams */
+	for (i = 0; i < local->media_count; ++i) {
+		struct ast_sip_session_media *session_media;
+		struct ast_stream *stream;
+
+		if (!remote->media[i]) {
+			continue;
+		}
+
+		ast_assert(i < AST_VECTOR_SIZE(&session->pending_media_state->sessions));
+		ast_assert(i < ast_stream_topology_get_count(session->pending_media_state->topology));
+
+		session_media = AST_VECTOR_GET(&session->pending_media_state->sessions, i);
+		stream = ast_stream_topology_get_stream(session->pending_media_state->topology, i);
+
+		if (ast_stream_get_state(stream) == AST_STREAM_STATE_REMOVED
+			&& session_media->handler) {
+			/*
+			 * This stream is no longer being used and the channel's thread
+			 * is held off because we have the channel lock so release any
+			 * resources the handler may have on it.
+			 */
+			session_media_set_handler(session_media, NULL);
+		}
+	}
+
 	/* Update the topology on the channel to match the accepted one */
 	topology = ast_stream_topology_clone(session->pending_media_state->topology);
 	if (topology) {
@@ -814,8 +839,9 @@ static int handle_negotiated_sdp(struct ast_sip_session *session, const pjmedia_
 
 	/* Add all the file descriptors from the pending media state */
 	for (i = 0; i < AST_VECTOR_SIZE(&session->pending_media_state->read_callbacks); ++i) {
-		struct ast_sip_session_media_read_callback_state *callback_state = AST_VECTOR_GET_ADDR(&session->pending_media_state->read_callbacks, i);
+		struct ast_sip_session_media_read_callback_state *callback_state;
 
+		callback_state = AST_VECTOR_GET_ADDR(&session->pending_media_state->read_callbacks, i);
 		ast_channel_internal_fd_set(session->channel, i + AST_EXTENDED_FDS, callback_state->fd);
 	}
 
-- 
GitLab