From 3aeeee43111ef78d6224e81e70f820961965bef3 Mon Sep 17 00:00:00 2001
From: Razvan Crainea <razvan@opensips.org>
Date: Thu, 17 Aug 2023 09:08:06 +0300
Subject: [PATCH] rtp_relay: fix missing ref for legs in session

This missing ref would (almost all the time) lead to possible invalid
memory accesses and possilbe double free.

Thanks to Rob Moore and Steven Ayre from Dubber for reporting it and
providing valuable information for troubleshooting
---
 modules/rtp_relay/rtp_relay_ctx.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/rtp_relay/rtp_relay_ctx.c b/modules/rtp_relay/rtp_relay_ctx.c
index 3f57a00d323..5b46b3c6b0e 100644
--- a/modules/rtp_relay/rtp_relay_ctx.c
+++ b/modules/rtp_relay/rtp_relay_ctx.c
@@ -514,6 +514,7 @@ static inline void rtp_relay_push_sess_leg(struct rtp_relay_sess *sess,
 	leg->peer = sess->legs[RTP_RELAY_PEER(type)];
 	if (leg->peer)
 		sess->legs[RTP_RELAY_PEER(type)]->peer = leg;
+	leg->ref++;
 }
 
 static inline void rtp_relay_fill_sess_leg(struct rtp_relay_ctx *ctx,
@@ -1735,8 +1736,8 @@ static int handle_rtp_relay_ctx_leg_reply(struct rtp_relay_ctx *ctx,
 		return -1;
 	} else {
 		if (!sess->legs[type]) {
-			sess->legs[type] = rtp_relay_new_leg(ctx,
-					&get_to(msg)->tag_value, sess->index);
+			rtp_relay_push_sess_leg(sess, rtp_relay_new_leg(ctx,
+					&get_to(msg)->tag_value, sess->index), type);
 			if (!sess->legs[type]) {
 				LM_ERR("could not create new leg\n");
 				return -1;
@@ -1896,8 +1897,8 @@ int rtp_relay_ctx_engage(struct sip_msg *msg,
 		sess = rtp_relay_new_sess(ctx, relay, set,
 				&get_from(msg)->tag_value, index);
 		if (!sess->legs[RTP_RELAY_CALLER])
-			sess->legs[RTP_RELAY_CALLER] = rtp_relay_new_leg(ctx,
-					&get_from(msg)->tag_value, index);
+			rtp_relay_push_sess_leg(sess, rtp_relay_new_leg(ctx,
+					&get_from(msg)->tag_value, index), RTP_RELAY_CALLER);
 	} else {
 		leg = rtp_relay_get_peer_leg_ctx(ctx, msg);
 		if (!leg) {