--- /dev/null
+Index: trunk/pjsip/src/pjsip/sip_transaction.c\r
+===================================================================\r
+--- a/pjsip/src/pjsip/sip_transaction.c (revision 5244)\r
++++ b/pjsip/src/pjsip/sip_transaction.c (revision 5572)\r
+@@ -1231,5 +1231,27 @@\r
+ PJSIP_EVENT_INIT_TSX_STATE(e, tsx, event_src_type, event_src,\r
+ prev_state);\r
++\r
++ /* For timer event, release lock to avoid deadlock.\r
++ * This should be safe because:\r
++ * 1. The tsx state just switches to TERMINATED or DESTROYED.\r
++ * 2. There should be no other processing taking place. All other\r
++ * events, such as the ones handled by tsx_on_state_terminated()\r
++ * should be ignored.\r
++ * 3. tsx_shutdown() hasn't been called.\r
++ * Refer to ticket #2001 (https://trac.pjsip.org/repos/ticket/2001).\r
++ */\r
++ if (event_src_type == PJSIP_EVENT_TIMER &&\r
++ (pj_timer_entry *)event_src == &tsx->timeout_timer)\r
++ {\r
++ pj_grp_lock_release(tsx->grp_lock);\r
++ }\r
++\r
+ (*tsx->tsx_user->on_tsx_state)(tsx, &e);\r
++\r
++ if (event_src_type == PJSIP_EVENT_TIMER &&\r
++ (pj_timer_entry *)event_src == &tsx->timeout_timer)\r
++ {\r
++ pj_grp_lock_acquire(tsx->grp_lock);\r
++ }\r
+ }\r
+ \r
--- /dev/null
+Index: trunk/pjsip/include/pjsip/sip_transaction.h\r
+===================================================================\r
+--- a/pjsip/include/pjsip/sip_transaction.h (revision 5572)\r
++++ b/pjsip/include/pjsip/sip_transaction.h (revision 5573)\r
+@@ -180,4 +180,8 @@\r
+ * is created by calling #pjsip_tsx_create_key() from an incoming message.\r
+ *\r
++ * IMPORTANT: To prevent deadlock, application should use\r
++ * #pjsip_tsx_layer_find_tsx2() instead which only adds a reference to\r
++ * the transaction instead of locking it.\r
++ *\r
+ * @param key The key string to find the transaction.\r
+ * @param lock If non-zero, transaction will be locked before the\r
+@@ -190,4 +194,19 @@\r
+ PJ_DECL(pjsip_transaction*) pjsip_tsx_layer_find_tsx( const pj_str_t *key,\r
+ pj_bool_t lock );\r
++\r
++/**\r
++ * Find a transaction with the specified key. The transaction key normally\r
++ * is created by calling #pjsip_tsx_create_key() from an incoming message.\r
++ *\r
++ * @param key The key string to find the transaction.\r
++ * @param add_ref If non-zero, transaction's reference will be added\r
++ * by one before the function returns, to make sure that\r
++ * it's not deleted by other threads.\r
++ *\r
++ * @return The matching transaction instance, or NULL if transaction\r
++ * can not be found.\r
++ */\r
++PJ_DECL(pjsip_transaction*) pjsip_tsx_layer_find_tsx2( const pj_str_t *key,\r
++ pj_bool_t add_ref );\r
+ \r
+ /**\r
+Index: trunk/pjsip/src/pjsip/sip_transaction.c\r
+===================================================================\r
+--- a/pjsip/src/pjsip/sip_transaction.c (revision 5572)\r
++++ b/pjsip/src/pjsip/sip_transaction.c (revision 5573)\r
+@@ -642,6 +642,6 @@\r
+ * Find a transaction.\r
+ */\r
+-PJ_DEF(pjsip_transaction*) pjsip_tsx_layer_find_tsx( const pj_str_t *key,\r
+- pj_bool_t lock )\r
++static pjsip_transaction* find_tsx( const pj_str_t *key, pj_bool_t lock,\r
++ pj_bool_t add_ref )\r
+ {\r
+ pjsip_transaction *tsx;\r
+@@ -655,5 +655,5 @@\r
+ /* Prevent the transaction to get deleted before we have chance to lock it.\r
+ */\r
+- if (tsx && lock)\r
++ if (tsx)\r
+ pj_grp_lock_add_ref(tsx->grp_lock);\r
+ \r
+@@ -667,10 +667,27 @@\r
+ PJ_RACE_ME(5);\r
+ \r
+- if (tsx && lock) {\r
+- pj_grp_lock_acquire(tsx->grp_lock);\r
+- pj_grp_lock_dec_ref(tsx->grp_lock);\r
++ if (tsx) {\r
++ if (lock)\r
++ pj_grp_lock_acquire(tsx->grp_lock);\r
++\r
++ if (!add_ref)\r
++ pj_grp_lock_dec_ref(tsx->grp_lock);\r
+ }\r
+ \r
+ return tsx;\r
++}\r
++\r
++\r
++PJ_DEF(pjsip_transaction*) pjsip_tsx_layer_find_tsx( const pj_str_t *key,\r
++ pj_bool_t lock )\r
++{\r
++ return find_tsx(key, lock, PJ_FALSE);\r
++}\r
++\r
++\r
++PJ_DEF(pjsip_transaction*) pjsip_tsx_layer_find_tsx2( const pj_str_t *key,\r
++ pj_bool_t add_ref )\r
++{\r
++ return find_tsx(key, PJ_FALSE, add_ref);\r
+ }\r
+ \r
+Index: trunk/pjsip/src/pjsip/sip_ua_layer.c\r
+===================================================================\r
+--- a/pjsip/src/pjsip/sip_ua_layer.c (revision 5572)\r
++++ b/pjsip/src/pjsip/sip_ua_layer.c (revision 5573)\r
+@@ -552,10 +552,10 @@\r
+ \r
+ /* Lookup the INVITE transaction */\r
+- tsx = pjsip_tsx_layer_find_tsx(&key, PJ_TRUE);\r
++ tsx = pjsip_tsx_layer_find_tsx2(&key, PJ_TRUE);\r
+ \r
+ /* We should find the dialog attached to the INVITE transaction */\r
+ if (tsx) {\r
+ dlg = (pjsip_dialog*) tsx->mod_data[mod_ua.mod.id];\r
+- pj_grp_lock_release(tsx->grp_lock);\r
++ pj_grp_lock_dec_ref(tsx->grp_lock);\r
+ \r
+ /* Dlg may be NULL on some extreme condition\r
+Index: trunk/pjsip/src/pjsip-ua/sip_inv.c\r
+===================================================================\r
+--- a/pjsip/src/pjsip-ua/sip_inv.c (revision 5572)\r
++++ b/pjsip/src/pjsip-ua/sip_inv.c (revision 5573)\r
+@@ -3276,5 +3276,5 @@\r
+ pjsip_tsx_create_key(rdata->tp_info.pool, &key, PJSIP_ROLE_UAS,\r
+ pjsip_get_invite_method(), rdata);\r
+- invite_tsx = pjsip_tsx_layer_find_tsx(&key, PJ_TRUE);\r
++ invite_tsx = pjsip_tsx_layer_find_tsx2(&key, PJ_TRUE);\r
+ \r
+ if (invite_tsx == NULL) {\r
+@@ -3325,5 +3325,5 @@\r
+ \r
+ if (invite_tsx)\r
+- pj_grp_lock_release(invite_tsx->grp_lock);\r
++ pj_grp_lock_dec_ref(invite_tsx->grp_lock);\r
+ }\r
+ \r
--- /dev/null
+Index: pjproject/trunk/pjsip/src/pjsip-ua/sip_timer.c
+===================================================================
+--- a/pjsip/src/pjsip-ua/sip_timer.c (revision 5557)
++++ b/pjsip/src/pjsip-ua/sip_timer.c (revision 5576)
+@@ -333,6 +333,8 @@
+ pjsip_tx_data *tdata = NULL;
+ pj_status_t status;
+ pj_bool_t as_refresher;
++ int entry_id;
++ char obj_name[PJ_MAX_OBJ_NAME];
+
+ pj_assert(inv);
+
+@@ -344,7 +346,10 @@
+ /* Check our role */
+ as_refresher =
+ (inv->timer->refresher == TR_UAC && inv->timer->role == PJSIP_ROLE_UAC) ||
+- (inv->timer->refresher == TR_UAS && inv->timer->role == PJSIP_ROLE_UAS);
++ (inv->timer->refresher == TR_UAS && inv->timer->role == PJSIP_ROLE_UAS);
++
++ entry_id = entry->id;
++ pj_ansi_strncpy(obj_name, inv->pool->obj_name, PJ_MAX_OBJ_NAME);
+
+ /* Do action based on role(refresher or refreshee).
+ * As refresher:
+@@ -353,7 +358,7 @@
+ * As refreshee:
+ * - end session if there is no refresh request received.
+ */
+- if (as_refresher && (entry->id != REFRESHER_EXPIRE_TIMER_ID)) {
++ if (as_refresher && (entry_id != REFRESHER_EXPIRE_TIMER_ID)) {
+ pj_time_val now;
+
+ /* As refresher, reshedule the refresh request on the following:
+@@ -414,7 +419,7 @@
+ }
+
+ pj_gettimeofday(&now);
+- PJ_LOG(4, (inv->pool->obj_name,
++ PJ_LOG(4, (obj_name,
+ "Refreshing session after %ds (expiration period=%ds)",
+ (now.sec-inv->timer->last_refresh.sec),
+ inv->timer->setting.sess_expires));
+@@ -432,7 +437,7 @@
+ NULL, &tdata);
+
+ pj_gettimeofday(&now);
+- PJ_LOG(3, (inv->pool->obj_name,
++ PJ_LOG(3, (obj_name,
+ "No session %s received after %ds "
+ "(expiration period=%ds), stopping session now!",
+ (as_refresher?"refresh response":"refresh"),
+@@ -451,11 +456,16 @@
+ status = pjsip_inv_send_msg(inv, tdata);
+ }
+
++ /*
++ * At this point, dialog might have already been destroyed,
++ * including its pool used by the invite session.
++ */
++
+ /* Print error message, if any */
+ if (status != PJ_SUCCESS) {
+- PJ_PERROR(2, (inv->pool->obj_name, status,
++ PJ_PERROR(2, (obj_name, status,
+ "Error in %s session timer",
+- ((as_refresher && entry->id != REFRESHER_EXPIRE_TIMER_ID)?
++ ((as_refresher && entry_id != REFRESHER_EXPIRE_TIMER_ID)?
+ "refreshing" : "terminating")));
+ }
+ }
+
--- /dev/null
+Index: /pjproject/trunk/pjlib/src/pj/ssl_sock_ossl.c\r
+===================================================================\r
+--- a/pjlib/src/pj/ssl_sock_ossl.c (revision 5564)\r
++++ b/pjlib/src/pj/ssl_sock_ossl.c (revision 5565)\r
+@@ -145,5 +145,6 @@\r
+ SSL_STATE_NULL,\r
+ SSL_STATE_HANDSHAKING,\r
+- SSL_STATE_ESTABLISHED\r
++ SSL_STATE_ESTABLISHED,\r
++ SSL_STATE_ERROR\r
+ };\r
+ \r
+@@ -1907,4 +1908,8 @@\r
+ buf->len += size_;\r
+ \r
++ if (status != PJ_SUCCESS) {\r
++ ssock->ssl_state = SSL_STATE_ERROR;\r
++ }\r
++\r
+ ret = (*ssock->param.cb.on_data_read)(ssock, buf->data,\r
+ buf->len, status,\r
+@@ -2658,5 +2663,9 @@\r
+ /* Current cipher */\r
+ cipher = SSL_get_current_cipher(ssock->ossl_ssl);\r
+- info->cipher = (SSL_CIPHER_get_id(cipher) & 0x00FFFFFF);\r
++ if (cipher) {\r
++ info->cipher = (SSL_CIPHER_get_id(cipher) & 0x00FFFFFF);\r
++ } else {\r
++ info->cipher = PJ_TLS_UNKNOWN_CIPHER;\r
++ }\r
+ \r
+ /* Remote address */\r
Summary: PJSIP - free and open source multimedia communication library
Name: pjproject
Version: 2.6
-Release: 1
+Release: 2
License: GPL v2+
Group: Libraries
Source0: http://www.pjsip.org/release/%{version}/%{name}-%{version}.tar.bz2
Patch102: 0013-r5559-svn-backport-Fix-to-resolve-DNS-SRV-crashes.patch
Patch103: 0014-Add-pjsip-transport-register-type-ipv6.patch
Patch104: 0025-fix-print-xml-crash.patch
-Patch105: 0058-Parse-zero-length-multipart-body-parts-correctly.patch
-Patch106: 0059-Ensure-2543-transaction-key-buffer-is-large-enough.patch
+Patch105: 0035-r5572-svn-backport-dialog-transaction-deadlock.patch
+Patch106: 0036-r5573-svn-backport-ua-pjsua-transaction-deadlock.patch
+Patch107: 0037-r5576-svn-backport-session-timer-crash.patch
+Patch108: 0048-r5576-svn-backport-tls-crash.patch
+Patch109: 0058-Parse-zero-length-multipart-body-parts-correctly.patch
+Patch110: 0059-Ensure-2543-transaction-key-buffer-is-large-enough.patch
URL: http://www.pjsip.org/
%{?with_video:BuildRequires: SDL2-devel}
BuildRequires: SILK_SDK-devel
%patch104 -p1
%patch105 -p1
%patch106 -p1
+%patch107 -p1
+%patch108 -p1
+%patch109 -p1
+%patch110 -p1
cp -p %{SOURCE1} pjlib/include/pj/config_site.h