1 This patch fixes the issue in pjsip_tx_data_dec_ref()
2 when tx_data_destroy can be called more than once,
3 and checks if invalid value (e.g. NULL) is passed to.
5 Index: pjsip/src/pjsip/sip_transport.c
6 ===================================================================
7 --- a/pjsip/src/pjsip/sip_transport.c (revision 5399)
8 +++ b/pjsip/src/pjsip/sip_transport.c (revision 5400)
11 PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
13 - pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
14 - if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
15 + pj_atomic_value_t ref_cnt;
17 + PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
19 + ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
20 + pj_assert( ref_cnt >= 0);
22 tx_data_destroy(tdata);
23 return PJSIP_EBUFDESTROYED;