Commit c866a895 authored by Simon Morlat's avatar Simon Morlat

Postpone the destruction of sofia sip outgoing transaction.

Indeed, it may happen that a the cancellation of an INVITE transaction results in the transaction callback being invoked, which results in the transaction being destroyed immediately while still doing processing with the creation of the cancel transaction.
The exact case would be that the sending of the CANCEL generates a transport error that is immediately notified to the INVITE transaction (because the CANCEL and the INVITE use the same transport) with an internal 503 response, which goes to flexisip, and calls OutgoingTransaction::destroy(), which calls nta_outgoing_destroy().
nta_outgoing_tcancel() is then left with the INVITE transaction freed (full of 0xaaaaaaaa), which crashes.
parent 15ad9273
Pipeline #6271 passed with stages
in 18 minutes and 14 seconds
......@@ -160,10 +160,27 @@ int OutgoingTransaction::_callback(nta_outgoing_magic_t *magic, nta_outgoing_t *
return 0;
static void destroy_transaction(su_root_magic_t *rm, su_msg_r msg, void *u){
nta_outgoing_t *tr = *static_cast<nta_outgoing_t **>(su_msg_data(msg));
void OutgoingTransaction::destroy() {
if (mSofiaRef != NULL) {
nta_outgoing_bind(mOutgoing, NULL, NULL); // avoid callbacks
// invoke nta_outgoing_destroy() at a later time.
su_msg_r mamc = SU_MSG_R_INIT;
if (-1 == su_msg_create(mamc, su_root_task(mAgent->getRoot()), su_root_task(mAgent->getRoot()), destroy_transaction,
sizeof(nta_outgoing_t *))) {
LOGF("Couldn't create async message to destroy transaction.");
nta_outgoing_t **outgoingStorage = (nta_outgoing_t **)su_msg_data(mamc);
*outgoingStorage = mOutgoing;
if (-1 == su_msg_send(mamc)) {
LOGF("Couldn't send async message to destroy transaction.");
mOutgoing = NULL;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment