Summary:ASTERISK-23718: res_pjsip_incoming_blind_request: crash with NULL session channel
Reporter:Jonathan Rose (jrose)Labels:
Date Opened:2014-05-05 16:35:40Date Closed:2014-05-30 09:58:53
Status:Closed/CompleteComponents:Channels/chan_pjsip Resources/res_pjsip_refer
Versions:12.2.0 Frequency of
Environment:Attachments:( 0) backtrace_pjsip_blind_xfer_crash.txt
Description:I've only been able to reproduce this with Digium Phones on account of them offering a certain level of control over calls during transfers. Still, Asterisk shouldn't crash on any SIP transactions it receives.


<something to dial the other phone with>

steps to reproduce:

* PJSIP/dphone1 dials PJSIP/dphone2, gets into normal 2 party bridge situation
* PJSIP/dphone1 uses xfer key to transfer PJSIP/dphone2 to extension 001
* While the transfer is progressing, press the ^ key on the Digium Phone's directional pad to switch the call from the current transfer to the initial session with PJSIP/dphone2
* Press the "Resume" softkey
* Attempt to transfer the call to 001 again. This should cause the crash.

I'm attaching a backtrace which details the crash. It can be mitigated simply by adding a null check against session->channel and returning 404 (probably anything other than 200 really). I'm not attaching a patch since I think that might be a superficial fix.
Comments:By: Kinsey Moore (kmoore) 2014-05-30 09:58:54.018-0500

Fix committed to 12 and trunk.