commit c3c1bf45cae2a35003aa16c267d59f97027f9c5e
Author: Kevin Harwell <kharwell@digium.com>
Date:   Thu Jun 11 11:11:13 2020 -0500

    sip_inv - fix invite session ref count crash
    
    Ensure the session's ref count is only decremented under proper conditons.
    
    For more details see the following issue report:
    https://github.com/pjsip/pjproject/issues/2443
    
    Patch supplied by sauwming

--- a/pjsip/src/pjsip-ua/sip_inv.c
+++ b/pjsip/src/pjsip-ua/sip_inv.c
@@ -323,9 +323,19 @@ static void inv_set_state(pjsip_inv_sess
 	(*mod_inv.cb.on_state_changed)(inv, e);
     pjsip_inv_dec_ref(inv);
 
-    /* Only decrement when previous state is not already DISCONNECTED */
+    /* The above callback may change the state, so we need to be careful here
+     * and only decrement inv under the following conditions:
+     * 1. If the state parameter is DISCONNECTED, and previous state is not
+     *    already DISCONNECTED.
+     *    This is to make sure that dec_ref() is not called more than once.
+     * 2. If current state is PJSIP_INV_STATE_DISCONNECTED.
+     *    This is to make sure that dec_ref() is not called if user restarts
+     *    inv within the callback. Note that this check must be last since
+     *    inv may have already been destroyed.
+     */
     if (state == PJSIP_INV_STATE_DISCONNECTED &&
-	prev_state != PJSIP_INV_STATE_DISCONNECTED) 
+	prev_state != PJSIP_INV_STATE_DISCONNECTED &&
+	inv->state == PJSIP_INV_STATE_DISCONNECTED) 
     {
 	pjsip_inv_dec_ref(inv);
     }