Hello,
I am investigating a crash which is happening since:
commit 0c11f4f9c235bf791ac39446c293483462a99354
Date: Mon Dec 29 22:26:46 2014 +0100
pua_dialoginfo: load dialogs for dialoginfo event upon restart
- based on a patch by Kristian Høgh, FS#360
The problem appears to be that in this function of pua_dialoginfo.c...
static void
__dialog_created(struct dlg_cell *dlg, int type, struct dlg_cb_params *_params)
{
struct sip_msg *request = _params->req;
struct dlginfo_cell *dlginfo;
if (request->REQ_METHOD != METHOD_INVITE)
return;
if(send_publish_flag > -1 && !(request->flags & (1<<send_publish_flag)))
return;
LM_DBG("new INVITE dialog created: from=%.*s\n", dlg->from_uri.len, dlg->from_uri.s);
dlginfo=get_dialog_data(dlg, type);
if(dlginfo==NULL)
return;
dialog_publish_multi("Trying", dlginfo->pubruris_caller,
&(dlg->from_uri),
(include_req_uri)?&(dlg->req_uri):&(dlg->to_uri),
&(dlg->callid), 1, dlginfo->lifetime,
0, 0, 0, 0, (send_publish_flag==-1)?1:0);
free_dlginfo_cell(dlginfo);
}
...dlginfo is freed, but is still being referenced in the callback registered here...
struct dlginfo_cell* get_dialog_data(struct dlg_cell *dlg, int type)
{
...
/* register dialog callbacks which triggers sending PUBLISH */
if (dlg_api.register_dlgcb(dlg,
DLGCB_FAILED| DLGCB_CONFIRMED_NA | DLGCB_TERMINATED
| DLGCB_EXPIRED | DLGCB_REQ_WITHIN | DLGCB_EARLY,
__dialog_sendpublish, dlginfo, free_dlginfo_cell) != 0) {
LM_ERR("cannot register callback for interesting dialog types\n");
free_dlginfo_cell(dlginfo);
return NULL;
}
...
return(dlginfo);
}
Can the freeing of this structure simply be left up to the dialog module when the dialog is eventually destroyed?
All the best,
Charles