Fix: siprec segfault when copy delete

[Kicey]

Summary

To fix issue #3602.
In short, the siprec unreference the dialog recorded too early. After releasing the memory of the rtp_relay_ctx in dialog, check of the dialog (by pointer) is not valid. Do failover and end the recording(copy delete) both access the dialog (access call id, rtp relay context, etc). So, I try to unreference the dialog when the recording dialog ends.

Details

The code following will unreference the dialog when the transaction end,

opensips/modules/siprec/siprec.c

Lines 320 to 321 in b17f160

	if (srec_tm.register_tmcb(msg, 0, TMCB_RESPONSE_OUT, tm_start_recording,
	ss, tm_src_unref_session) <= 0) {

And if the recorded dialog end before the srs respond (before siprec get the b2b notify), the srec_b2b_notify's processing of the dialog will be uncertain. So, the segment fault is likely to raise here (when invoke rtp_relay copy_delete or rebuild the invite body).

To simplify the code, I invoke the src_unref_session in the srec_logic_destroy function and use the keep_sdp flag. If this is inappropriate, please let me know.

Solution

Make siprec unref the dialog when the recording end.

Compatibility

The fix works well with 3.4.11.

Closing issues

[razvancrainea]

Hi, @Kicey!
I understand the scenario that leads to the crash, but I don't think this is the correct way to solve it - in fact, I believe it leads to invalid memory access to, because you are unreffing the session (which might also delete it), and then destroy the b2b entity and b2b key from the session itself.
A proper fix would be to ref the scenario, and unref when the b2b logic is destroyed, but I am not sure we have these hooks - let me look deeper.