From fbc80db350ee006cdebcb113a6daf60f95c8851d Mon Sep 17 00:00:00 2001 From: Sean Bright Date: Tue, 3 Dec 2019 16:42:00 -0500 Subject: [PATCH] res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled We need to copy the endpoint name before we call ao2_cleanup() on it, otherwise we might try to access memory that has been reclaimed. ASTERISK-28445 #close Reported by: Bernhard Schmidt Change-Id: I404b952608aa606e0babd3c4108346721fb726b3 --- res/res_pjsip_session.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c index 44c25811355..f6b9fa9f1e3 100644 --- a/res/res_pjsip_session.c +++ b/res/res_pjsip_session.c @@ -2150,8 +2150,10 @@ static void session_destructor(void *obj) { struct ast_sip_session *session = obj; struct ast_sip_session_delayed_request *delay; + + /* We dup the endpoint ID in case the endpoint gets freed out from under us */ const char *endpoint_name = session->endpoint ? - ast_sorcery_object_get_id(session->endpoint) : ""; + ast_strdupa(ast_sorcery_object_get_id(session->endpoint)) : ""; ast_debug(3, "Destroying SIP session with endpoint %s\n", endpoint_name);