Commit ae85ad744a for asterisk.org

commit ae85ad744af4fa2a044bd362aaf7fc32dd72a90f
Author: Thomas Guebels <thomas.guebels@dstny.com>
Date:   Thu Jul 9 14:44:38 2026 +0200

    res_http_websocket: Unref session when it fails to establish.

    Two error paths in res_http_websocket could leak an ast_websocket session by
    failing to drop a reference after the session had been allocated.

    The first occurs when session ID generation fails. While this is largely
    theoretical, as it would require an out-of-memory condition, the session
    reference should still be released correctly.

    The second occurs when the ast_websocket_pre_callback session_attempted callback
    returns an error. This path is reachable through ari_websockets, which
    implements this callback and can legitimately fail under certain conditions.

    Fixes: #2020

diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
index 1ec4120fd8..1fe9b4893e 100644
--- a/res/res_http_websocket.c
+++ b/res/res_http_websocket.c
@@ -1089,6 +1089,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
 			ast_log(LOG_WARNING, "WebSocket connection from '%s' could not be accepted - failed to generate a session id\n",
 				ast_sockaddr_stringify(&ser->remote_address));
 			ast_http_error(ser, 500, "Internal Server Error", "Allocation failed");
+			ao2_ref(session, -1);
 			ao2_ref(protocol_handler, -1);
 			return 0;
 		}
@@ -1098,6 +1099,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
 			ast_debug(3, "WebSocket connection from '%s' rejected by protocol handler '%s'\n",
 				ast_sockaddr_stringify(&ser->remote_address), protocol_handler->name);
 			websocket_bad_request(ser);
+			ao2_ref(session, -1);
 			ao2_ref(protocol_handler, -1);
 			return 0;
 		}