Ticket #2007 (closed defect: fixed)
Possible crash when using session timer due to the early release of dialog pool
|Reported by:||riza||Owned by:||bennylp|
|Backport to 1.x milestone:||Backported:||no|
There is a possible issue in the sip_timer.c::timer_cb(), more specifically, in the last log call made in that method.
This since the dialog that corresponds to the pjsip_inv_session object is unlocked, and the dialog may be destroyed in the consecutive call to pjsip_inv_send_msg(). Since the invite session object’s memory pool simply points to the dialog’s memory pool (and the invite session object itself is allocated from the same pool), this memory may thereby already have been freed once the log call is executed.
The issue was encountered when testing the session expiration timeout: after a call has been established from A to B, B’s network connection is cut, and the session expiration timeout is awaited. Once the timer timeouts, the case above seems to occur.
Thanks to Christoffer Lauri and Fredrik Hansson for the report.