Browse code

sip: b/f: fix segfault in try_next_ip()

When a transport error is generated internally for an abandoned transaction, SEMS would crash in try_next_ip(). This could have happened when for example the M timer is shorter than the TCP connection timeout.

Raphael Coeffic authored on 09/01/2014 11:13:53
Showing 1 changed files
... ...
@@ -1862,6 +1862,13 @@ int _trans_layer::update_uac_reply(trans_bucket* bucket, sip_trans* t, sip_msg*
1862 1862
 		
1863 1863
 	    case TS_ABANDONED:
1864 1864
 	    case TS_TERMINATED:
1865
+		// local reply: do not send an ACK in this case
1866
+		if(!msg->local_socket) {
1867
+		    t->reset_all_timers();
1868
+		    bucket->remove(t);
1869
+		    goto end;
1870
+		}
1871
+
1865 1872
 		// disable blacklisting: remote UA did reply
1866 1873
 		DBG("disable blacklisting: remote UA (%s/%i) did reply",
1867 1874
 		    am_inet_ntop(&msg->remote_ip).c_str(),
... ...
@@ -1996,6 +2003,15 @@ int _trans_layer::update_uac_reply(trans_bucket* bucket, sip_trans* t, sip_msg*
1996 2003
 	    
1997 2004
 	case TS_ABANDONED:
1998 2005
 	case TS_TERMINATED:
2006
+	    //local reply
2007
+	    if(!msg->local_socket) {
2008
+		if(reply_code == 500 || reply_code == 503) {
2009
+		    // no more replies will come...
2010
+		    bucket->remove(t);
2011
+		}
2012
+		goto end;
2013
+	    }
2014
+
1999 2015
 	    INFO("disable blacklisting: remote UA (%s/%i) did reply",
2000 2016
 		 am_inet_ntop(&msg->remote_ip).c_str(),
2001 2017
 		 am_get_port(&msg->remote_ip));
... ...
@@ -2577,7 +2593,8 @@ int _trans_layer::try_next_ip(trans_bucket* bucket, sip_trans* tr,
2577 2593
 
2578 2594
  try_next_dest:
2579 2595
     // get the next ip
2580
-    if(tr->targets->get_next(&sa,next_trsp,tr->flags) < 0){
2596
+    if(!tr->targets ||
2597
+       tr->targets->get_next(&sa,next_trsp,tr->flags) < 0){
2581 2598
 	DBG("no more destinations!");
2582 2599
 	return -1;
2583 2600
     }