The fix for the AEL <<security hole>> (bug 9316) is here...

git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@59069 f38db490-d61c-443f-a65b-d21fe96a405b

3 files changed, 216 insertions, 43 deletions

diff --git a/apps/app_stack.c b/apps/app_stack.c
index 34aa8693f..a3124647e 100644
--- a/apps/app_stack.c
+++ b/apps/app_stack.c
@@ -1,7 +1,7 @@
 /*
  * Asterisk -- An open source telephony toolkit.
  *
- * Copyright (c) 2004-2006 Tilghman Lesher <app_stack_v002@the-tilghman.com>.
+ * Copyright (c) 2004-2006 Tilghman Lesher <app_stack_v003@the-tilghman.com>.
  *
  * This code is released by the author with no restrictions on usage.
  *
@@ -20,7 +20,7 @@
  *
  * \brief Stack applications Gosub, Return, etc.
  *
- * \author Tilghman Lesher <app_stack_v002@the-tilghman.com>
+ * \author Tilghman Lesher <app_stack_v003@the-tilghman.com>
  * 
  * \ingroup applications
  */
@@ -41,10 +41,10 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 #include "asterisk/pbx.h"
 #include "asterisk/module.h"
 #include "asterisk/config.h"
+#include "asterisk/app.h"
 
 #define STACKVAR	"~GOSUB~STACK~"
 
-
 static const char *app_gosub = "Gosub";
 static const char *app_gosubif = "GosubIf";
 static const char *app_return = "Return";
@@ -56,63 +56,219 @@ static const char *return_synopsis = "Return from gosub routine";
 static const char *pop_synopsis = "Remove one address from gosub stack";
 
 static const char *gosub_descrip =
-"Gosub([[context|]exten|]priority)\n"
+"Gosub([[context|]exten|]priority[(arg1[|...][|argN])])\n"
 "  Jumps to the label specified, saving the return address.\n";
 static const char *gosubif_descrip =
-"GosubIf(condition?labeliftrue[:labeliffalse])\n"
+"GosubIf(condition?labeliftrue[(arg1[|...])][:labeliffalse[(arg1[|...])]])\n"
 "  If the condition is true, then jump to labeliftrue.  If false, jumps to\n"
 "labeliffalse, if specified.  In either case, a jump saves the return point\n"
 "in the dialplan, to be returned to with a Return.\n";
 static const char *return_descrip =
-"Return()\n"
-"  Jumps to the last label on the stack, removing it.\n";
+"Return([return-value])\n"
+"  Jumps to the last label on the stack, removing it.  The return value, if\n"
+"any, is saved in the channel variable GOSUB_RETVAL.\n";
 static const char *pop_descrip =
 "StackPop()\n"
 "  Removes last label on the stack, discarding it.\n";
 
 
+static void gosub_free(void *data);
+
+static struct ast_datastore_info stack_info = {
+	.type = "GOSUB",
+	.destroy = gosub_free,
+};
+
+struct gosub_stack_frame {
+	AST_LIST_ENTRY(gosub_stack_frame) entries;
+	/* 100 arguments is all that we support anyway, but this will handle up to 255 */
+	unsigned char arguments;
+	int priority;
+	char *context;
+	char extension[0];
+};
+
+static void gosub_release_frame(struct ast_channel *chan, struct gosub_stack_frame *frame)
+{
+	unsigned char i;
+	char argname[15];
+
+	/* If chan is not defined, then we're calling it as part of gosub_free,
+	 * and the channel variables will be deallocated anyway.  Otherwise, we're
+	 * just releasing a single frame, so we need to clean up the arguments for
+	 * that frame, so that we re-expose the variables from the previous frame
+	 * that were hidden by this one.
+	 */
+	if (chan) {
+		for (i = 1; i <= frame->arguments && i != 0; i++) {
+			snprintf(argname, sizeof(argname), "ARG%hhd", i);
+			pbx_builtin_setvar_helper(chan, argname, NULL);
+		}
+	}
+	ast_free(frame);
+}
+
+static struct gosub_stack_frame *gosub_allocate_frame(const char *context, const char *extension, int priority, unsigned char arguments)
+{
+	struct gosub_stack_frame *new = NULL;
+	int len_extension = strlen(extension), len_context = strlen(context);
+
+	if ((new = ast_calloc(1, sizeof(*new) + 2 + len_extension + len_context))) {
+		strcpy(new->extension, extension);
+		new->context = new->extension + len_extension + 1;
+		strcpy(new->context, context);
+		new->priority = priority;
+		new->arguments = arguments;
+	}
+	return new;
+}
+
+static void gosub_free(void *data)
+{
+	AST_LIST_HEAD(, gosub_stack_frame) *oldlist = data;
+	struct gosub_stack_frame *oldframe;
+	AST_LIST_LOCK(oldlist);
+	while ((oldframe = AST_LIST_REMOVE_HEAD(oldlist, entries))) {
+		gosub_release_frame(NULL, oldframe);
+	}
+	AST_LIST_UNLOCK(oldlist);
+	AST_LIST_HEAD_DESTROY(oldlist);
+	ast_free(oldlist);
+}
+
 static int pop_exec(struct ast_channel *chan, void *data)
 {
-	pbx_builtin_setvar_helper(chan, STACKVAR, NULL);
+	struct ast_datastore *stack_store = ast_channel_datastore_find(chan, &stack_info, NULL);
+	struct gosub_stack_frame *oldframe;
+	AST_LIST_HEAD(, gosub_stack_frame) *oldlist;
+
+	if (!stack_store) {
+		ast_log(LOG_WARNING, "%s called with no gosub stack allocated.\n", app_pop);
+		return 0;
+	}
+
+	oldlist = stack_store->data;
+	AST_LIST_LOCK(oldlist);
+	oldframe = AST_LIST_REMOVE_HEAD(oldlist, entries);
+	AST_LIST_UNLOCK(oldlist);
+
+	if (oldframe)
+		gosub_release_frame(chan, oldframe);
+	else if (option_debug)
+		ast_log(LOG_DEBUG, "%s called with an empty gosub stack\n", app_pop);
 
 	return 0;
 }
 
 static int return_exec(struct ast_channel *chan, void *data)
 {
-	const char *label = pbx_builtin_getvar_helper(chan, STACKVAR);
+	struct ast_datastore *stack_store = ast_channel_datastore_find(chan, &stack_info, NULL);
+	struct gosub_stack_frame *oldframe;
+	AST_LIST_HEAD(, gosub_stack_frame) *oldlist;
+	char *retval = data;
 
-	if (ast_strlen_zero(label)) {
-		ast_log(LOG_ERROR, "Return without Gosub: stack is empty\n");
+	if (!stack_store) {
+		ast_log(LOG_ERROR, "Return without Gosub: stack is unallocated\n");
 		return -1;
-	} else if (ast_parseable_goto(chan, label)) {
-		ast_log(LOG_WARNING, "No next statement after Gosub?\n");
+	}
+
+	oldlist = stack_store->data;
+	AST_LIST_LOCK(oldlist);
+	oldframe = AST_LIST_REMOVE_HEAD(oldlist, entries);
+	AST_LIST_UNLOCK(oldlist);
+
+	if (!oldframe) {
+		ast_log(LOG_ERROR, "Return without Gosub: stack is empty\n");
 		return -1;
 	}
 
-	pbx_builtin_setvar_helper(chan, STACKVAR, NULL);
+	ast_explicit_goto(chan, oldframe->context, oldframe->extension, oldframe->priority);
+	gosub_release_frame(chan, oldframe);
+
+	/* Set a return value, if any */
+	pbx_builtin_setvar_helper(chan, "GOSUB_RETVAL", S_OR(retval, ""));
 	return 0;
 }
 
 static int gosub_exec(struct ast_channel *chan, void *data)
 {
-	char newlabel[AST_MAX_EXTENSION * 2 + 3 + 11];
+	struct ast_datastore *stack_store = ast_channel_datastore_find(chan, &stack_info, NULL);
+	AST_LIST_HEAD(, gosub_stack_frame) *oldlist;
+	struct gosub_stack_frame *newframe;
+	char argname[15], *tmp = ast_strdupa(data), *label, *endparen;
+	int i;
 	struct ast_module_user *u;
+	AST_DECLARE_APP_ARGS(args2,
+		AST_APP_ARG(argval)[100];
+	);
 
 	if (ast_strlen_zero(data)) {
-		ast_log(LOG_ERROR, "%s requires an argument: %s([[context|]exten|]priority)\n", app_gosub, app_gosub);
+		ast_log(LOG_ERROR, "%s requires an argument: %s([[context|]exten|]priority[(arg1[|...][|argN])])\n", app_gosub, app_gosub);
 		return -1;
 	}
 
 	u = ast_module_user_add(chan);
-	snprintf(newlabel, sizeof(newlabel), "%s|%s|%d", chan->context, chan->exten, chan->priority + 1);
 
-	if (ast_parseable_goto(chan, data)) {
+	if (!stack_store) {
+		if (option_debug)
+			ast_log(LOG_DEBUG, "Channel %s has no datastore, so we're allocating one.\n", chan->name);
+		stack_store = ast_channel_datastore_alloc(&stack_info, NULL);
+		if (!stack_store) {
+			ast_log(LOG_ERROR, "Unable to allocate new datastore.  Gosub will fail.\n");
+			ast_module_user_remove(u);
+			return -1;
+		}
+
+		oldlist = ast_calloc(1, sizeof(*oldlist));
+		if (!oldlist) {
+			ast_log(LOG_ERROR, "Unable to allocate datastore list head.  Gosub will fail.\n");
+			ast_channel_datastore_free(stack_store);
+			ast_module_user_remove(u);
+			return -1;
+		}
+
+		stack_store->data = oldlist;
+		AST_LIST_HEAD_INIT(oldlist);
+		ast_channel_datastore_add(chan, stack_store);
+	}
+
+	/* Separate the arguments from the label */
+	/* NOTE:  you cannot use ast_app_separate_args for this, because '(' cannot be used as a delimiter. */
+	label = strsep(&tmp, "(");
+	if (tmp) {
+		endparen = strrchr(tmp, ')');
+		if (endparen)
+			*endparen = '\0';
+		else
+			ast_log(LOG_WARNING, "Ouch.  No closing paren: '%s'?\n", (char *)data);
+		AST_STANDARD_APP_ARGS(args2, tmp);
+	} else
+		args2.argc = 0;
+
+	/* Create the return address, but don't save it until we know that the Gosub destination exists */
+	newframe = gosub_allocate_frame(chan->context, chan->exten, chan->priority + 1, args2.argc);
+
+	if (ast_parseable_goto(chan, label)) {
+		ast_log(LOG_ERROR, "Gosub address is invalid: '%s'\n", (char *)data);
+		ast_free(newframe);
 		ast_module_user_remove(u);
 		return -1;
 	}
 
-	pbx_builtin_pushvar_helper(chan, STACKVAR, newlabel);
+	/* Now that we know for certain that we're going to a new location, set our arguments */
+	for (i = 0; i < args2.argc; i++) {
+		snprintf(argname, sizeof(argname), "ARG%d", i + 1);
+		pbx_builtin_pushvar_helper(chan, argname, args2.argval[i]);
+		if (option_debug)
+			ast_log(LOG_DEBUG, "Setting '%s' to '%s'\n", argname, args2.argval[i]);
+	}
+
+	/* And finally, save our return address */
+	oldlist = stack_store->data;
+	AST_LIST_LOCK(oldlist);
+	AST_LIST_INSERT_HEAD(oldlist, newframe, entries);
+	AST_LIST_UNLOCK(oldlist);
+
 	ast_module_user_remove(u);
 
 	return 0;
@@ -121,28 +277,39 @@ static int gosub_exec(struct ast_channel *chan, void *data)
 static int gosubif_exec(struct ast_channel *chan, void *data)
 {
 	struct ast_module_user *u;
-	char *condition="", *label1, *label2, *args;
+	char *args;
 	int res=0;
+	AST_DECLARE_APP_ARGS(cond,
+		AST_APP_ARG(ition);
+		AST_APP_ARG(labels);
+	);
+	AST_DECLARE_APP_ARGS(label,
+		AST_APP_ARG(iftrue);
+		AST_APP_ARG(iffalse);
+	);
 
 	if (ast_strlen_zero(data)) {
-		ast_log(LOG_WARNING, "GosubIf requires an argument\n");
+		ast_log(LOG_WARNING, "GosubIf requires an argument: GosubIf(cond?label1(args):label2(args)\n");
 		return 0;
 	}
 
-	args = ast_strdupa(data);
-
 	u = ast_module_user_add(chan);
 
-	condition = strsep(&args, "?");
-	label1 = strsep(&args, ":");
-	label2 = args;
+	args = ast_strdupa(data);
+	AST_NONSTANDARD_APP_ARGS(cond, args, '?');
+	if (cond.argc != 2) {
+		ast_log(LOG_WARNING, "GosubIf requires an argument: GosubIf(cond?label1(args):label2(args)\n");
+		ast_module_user_remove(u);
+		return 0;
+	}
 
-	if (pbx_checkcondition(condition)) {
-		if (label1) {
-			res = gosub_exec(chan, label1);
-		}
-	} else if (label2) {
-		res = gosub_exec(chan, label2);
+	AST_NONSTANDARD_APP_ARGS(label, cond.labels, ':');
+
+	if (pbx_checkcondition(cond.ition)) {
+		if (!ast_strlen_zero(label.iftrue))
+			res = gosub_exec(chan, label.iftrue);
+	} else if (!ast_strlen_zero(label.iffalse)) {
+		res = gosub_exec(chan, label.iffalse);
 	}
 
 	ast_module_user_remove(u);
diff --git a/include/asterisk/ael_structs.h b/include/asterisk/ael_structs.h
index e17d302ee..9b5581d6c 100644
--- a/include/asterisk/ael_structs.h
+++ b/include/asterisk/ael_structs.h
@@ -176,6 +176,7 @@ struct ael_extension
 	char *cidmatch;
 	char *hints;
 	int regexten;
+	int is_switch;
 	
 	struct ast_context *context;
 	
diff --git a/pbx/pbx_ael.c b/pbx/pbx_ael.c
index 6b787b8e0..85debdc99 100644
--- a/pbx/pbx_ael.c
+++ b/pbx/pbx_ael.c
@@ -3055,7 +3055,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 			switch_end = new_prio();
 			switch_test->type = AEL_APPCALL;
 			switch_end->type = AEL_APPCALL;
-			snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",control_statement_count, p->u1.str);
+			snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",control_statement_count, p->u1.str);
 			switch_test->app = strdup("Goto");
 			switch_test->appargs = strdup(buf1);
 			snprintf(buf1,sizeof(buf1),"Finish switch-%s-%d", label, control_statement_count);
@@ -3077,6 +3077,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 					/* ok, generate a extension and link it in */
 					switch_case = new_exten();
 					switch_case->context = this_context;
+					switch_case->is_switch = 1;
 					/* the break/continue locations are inherited from parent */
 					switch_case->loop_break = exten->loop_break;
 					switch_case->loop_continue = exten->loop_continue;
@@ -3100,7 +3101,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 							fall_thru = new_prio();
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
-							snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, p2->next->u1.str);
+							snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, p2->next->u1.str);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (p2->next && p2->next->type == PV_PATTERN) {
@@ -3108,14 +3109,14 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
 							gen_match_to_pattern(p2->next->u1.str, buf2);
-							snprintf(buf1,sizeof(buf1),"sw-%d-%s|1", local_control_statement_count, buf2);
+							snprintf(buf1,sizeof(buf1),"sw-%d-%s|10", local_control_statement_count, buf2);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (p2->next && p2->next->type == PV_DEFAULT) {
 							fall_thru = new_prio();
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
-							snprintf(buf1,sizeof(buf1),"sw-%d-.|1",local_control_statement_count);
+							snprintf(buf1,sizeof(buf1),"sw-%d-.|10",local_control_statement_count);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (!p2->next) {
@@ -3140,6 +3141,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 					/* ok, generate a extension and link it in */
 					switch_case = new_exten();
 					switch_case->context = this_context;
+					switch_case->is_switch = 1;
 					/* the break/continue locations are inherited from parent */
 					switch_case->loop_break = exten->loop_break;
 					switch_case->loop_continue = exten->loop_continue;
@@ -3162,7 +3164,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 							fall_thru = new_prio();
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
-							snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, p2->next->u1.str);
+							snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, p2->next->u1.str);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (p2->next && p2->next->type == PV_PATTERN) {
@@ -3170,14 +3172,14 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
 							gen_match_to_pattern(p2->next->u1.str, buf2);
-							snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, buf2);
+							snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, buf2);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (p2->next && p2->next->type == PV_DEFAULT) {
 							fall_thru = new_prio();
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
-							snprintf(buf1,sizeof(buf1),"sw-%d-.|1",local_control_statement_count);
+							snprintf(buf1,sizeof(buf1),"sw-%d-.|10",local_control_statement_count);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (!p2->next) {
@@ -3203,6 +3205,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 					/* ok, generate a extension and link it in */
 					switch_case = new_exten();
 					switch_case->context = this_context;
+					switch_case->is_switch = 1;
 					/* the break/continue locations are inherited from parent */
 					switch_case->loop_break = exten->loop_break;
 					switch_case->loop_continue = exten->loop_continue;
@@ -3226,7 +3229,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 							fall_thru = new_prio();
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
-							snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, p2->next->u1.str);
+							snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, p2->next->u1.str);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (p2->next && p2->next->type == PV_PATTERN) {
@@ -3234,14 +3237,14 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement,
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
 							gen_match_to_pattern(p2->next->u1.str, buf2);
-							snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, buf2);
+							snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, buf2);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (p2->next && p2->next->type == PV_DEFAULT) {
 							fall_thru = new_prio();
 							fall_thru->type = AEL_APPCALL;
 							fall_thru->app = strdup("Goto");
-							snprintf(buf1,sizeof(buf1),"sw-%d-.|1",local_control_statement_count);
+							snprintf(buf1,sizeof(buf1),"sw-%d-.|10",local_control_statement_count);
 							fall_thru->appargs = strdup(buf1);
 							linkprio(switch_case, fall_thru);
 						} else if (!p2->next) {
@@ -3513,7 +3516,9 @@ void set_priorities(struct ael_extension *exten)
 	int i;
 	struct ael_priority *pr;
 	do {
-		if (exten->regexten)
+		if (exten->is_switch)
+			i = 10;
+		else if (exten->regexten)
 			i=2;
 		else
 			i=1;