Segmentaion fault when handling incoming request without rport (thanks Norma Steveley and Seth Hinze for the report)

[bennylp]

The Microsoft RTC stack does not put a rport in its request via which causes pjsip_get_response_addr() to set the res_addr.transport to NULL. tsx_on_state_proceeding_uas() then dereferences the transport w/o checking for NULL, which, of course, causes the exception.

The crash occurs when 1) pjsip responds to a BYE it received from the UDP transport, where the remote SIP stack that sent the BYE does not include the rport in the Via header and 2) the UDP transport's sendto call in pjsup that sends the 200 Response returns pending. Here is the sequence of events:

1. pjsip receives a BYE
2. the transaction layer initializes a pjsip_transaction from the rdata
3. The transport layer tries to get the response addr by calling pjsip_get_response_addr()
4. Inside pjsip_get_response_addr(), the incoming transport is not reliable and the rport is -1 (not set), the response transport is set to NULL
5. The 200 Response is sent to the UDP transport via the endpoint resolver by pjsip_endpt_send_request_stateless()
6. udp_send_msg returns PJ_EPENDING
7. the call stack returns to tsx_on_state_proceeding_uas() where the restransmit timer is scheduled
8. Pjsip checks to see if tsx->transport is reliable, but tsx->transport is NULL

Now, if in step 6, udp_send_msg returns PJ_SUCCESS, the send_msg_callback is called, inside that callback tsx->transport is set and when the call stack returns to tsx_on_state_proceeding_uas() the transport reliability check does not crash.

Thank you Norma and Seth again for the detailed report and patch suggestion.