From 8b381d89a19de08a2b3a7ea9787713938838c7da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20LE=20STUM?=
 <sebastien.le-stum@savoirfairelinux.com>
Date: Wed, 30 Sep 2020 15:45:01 -0400
Subject: [PATCH] sipaccount: prevent use-after-free on error in onComplete

Using release() on a unique_ptr container will transfer the ownership
and actually empty the unique_ptr, leaving it NULL.

Fix a potential use-after-free if the send_request fails by scoping in
the release of the context pointer.

Change-Id: I495964fd9b0edd24b528649bace679369a967dd5
---
 src/sip/sipaccount.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/sip/sipaccount.cpp b/src/sip/sipaccount.cpp
index 4c5f00dbde..519a0d33f8 100644
--- a/src/sip/sipaccount.cpp
+++ b/src/sip/sipaccount.cpp
@@ -2242,15 +2242,16 @@ SIPAccount::onComplete(void* token, pjsip_event* event)
             cseq_hdr->cseq += 1;
 
             // Resend request
+            ctx* token_ptr = c.release();
             status = pjsip_endpt_send_request(acc->link_.getEndpoint(),
                                               new_request,
                                               -1,
-                                              c.release(),
+                                              token_ptr,
                                               &onComplete);
 
             if (status != PJ_SUCCESS) {
                 JAMI_ERR("Unable to send request: %s", sip_utils::sip_strerror(status).c_str());
-                acc->messageEngine_.onMessageSent(c->to, c->id, false);
+                acc->messageEngine_.onMessageSent(token_ptr->to, token_ptr->id, false);
             }
             return;
         } else {
-- 
GitLab