sipcall: avoid use after free on the invite session

pjsip uses a counter to delete objects when the ref counter is equals to 0. This means that our unique_ptr on the invite will be invalid if resources are already freed by pjproject. To avoid this, we need to increment and decrement the counter when we respectively create and destroy our unique_ptr on the invite session Change-Id: Ida5c687004b91100f1c10f83e32c1a40264c775c

sipcall: avoid use after free on the invite session
4ad78be5 · Sébastien Blin · Adrien Béraud · 957cc3f2 · 4ad78be5 · 4ad78be5
Commit 4ad78be5 authored 5 years ago by Sébastien Blin Committed by Adrien Béraud 5 years ago
--- a/src/sip/sipcall.cpp
+++ b/src/sip/sipcall.cpp
@@ -1329,7 +1329,10 @@ SIPCall::InvSessionDeleter::operator ()(pjsip_inv_session* inv) const noexcept
 {
    // prevent this from getting accessed in callbacks
    // JAMI_WARN: this is not thread-safe!
+    if (!inv) return;
    inv->mod_data[getSIPVoIPLink()->getModId()] = nullptr;
+    // NOTE: the counter is incremented by sipvoiplink (transaction_request_cb)
+    pjsip_inv_dec_ref(inv);
 }
 bool

--- a/src/sip/sipvoiplink.cpp
+++ b/src/sip/sipvoiplink.cpp
@@ -385,6 +385,11 @@ transaction_request_cb(pjsip_rx_data *rdata)
    pjsip_dlg_dec_lock(dialog);
    inv->mod_data[mod_ua_.id] = call.get();
+    // NOTE: The invitation counter is managed by pjsip. If that counter goes down to zero
+    // the invite will be destroyed, and the unique_ptr will point freed datas.
+    // To avoid this, we increment the ref counter and let our unique_ptr manage
+    // when the invite will be freed
+    pjsip_inv_add_ref(inv);
    call->inv.reset(inv);
    // Check whether Replaces header is present in the request and process accordingly.