res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled

We need to copy the endpoint name before we call ao2_cleanup() on it, otherwise we might try to access memory that has been reclaimed. ASTERISK-28445 #close Reported by: Bernhard Schmidt Change-Id: I404b952608aa606e0babd3c4108346721fb726b3
asterisk · Dec 3, 2019 · fbc80db · fbc80db
1 parent dd07ac6
commit fbc80db
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
@@ -2150,8 +2150,10 @@ static void session_destructor(void *obj)
 {
 	struct ast_sip_session *session = obj;
 	struct ast_sip_session_delayed_request *delay;
+
+	/* We dup the endpoint ID in case the endpoint gets freed out from under us */
 	const char *endpoint_name = session->endpoint ?
-		ast_sorcery_object_get_id(session->endpoint) : "<none>";
+		ast_strdupa(ast_sorcery_object_get_id(session->endpoint)) : "<none>";
 
 	ast_debug(3, "Destroying SIP session with endpoint %s\n", endpoint_name);