Ticket #1959 (closed defect: fixed)
Add reference counter to pjsip_inv_session to avoid race condition
|Reported by:||riza||Owned by:||bennylp|
|Backport to 1.x milestone:||Backported:||no|
When a transport error occured on an INVITE session the stack calls on_tsx_state_changed with new state PJSIP_INV_STATE_DISCONNECTED and immediately destroys the INVITE session. At the same time this INVITE session could being processed on another thread. This thread could use the session's memory pools which were already freed, so we get segfault.
This ticket adds a reference counter and new functions: pjsip_inv_add_ref and pjsip_inv_dec_ref. The INVITE session is destroyed only when the reference counter has reached zero.
To avoid race condition an application should call pjsip_inv_add_ref/pjsip_inv_dec_ref.
Scenario using TLS:
- The incoming INVITE received, pjsip called an on_rx_request.
- An application pushed the INVITE session's data to a task queue on the on_rx_request.
- The application popped the task and started processing INVITE session on different thread.
- The TCP/TLS connection has been disconnected (transport error), as result PJSIP_TSX_STATE_TERMINATED.
- The pjsip called inv_set_state with state PJSIP_INV_STATE_DISCONNECTED.
- The pjsip called on_tsx_state_changed.
- The application received on_tsx_state_changed, but on different thread then this INVITE session was being processed.
- The pjsip destroyed the INVITE session while application was still processing this session.
Thanks to Alexei Gradinari for the original patch