diff options
author | murf <murf@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-03-20 17:43:02 +0000 |
---|---|---|
committer | murf <murf@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-03-20 17:43:02 +0000 |
commit | c97044b19caa1897bf5f7c452538bded9d8633a9 (patch) | |
tree | 413d41b1ec8e49a99ca8f7ca676d24f02f7c488f | |
parent | 6d2b0731ea49c44167befa9bfb7569a446af666a (diff) |
The fix for the AEL <<security hole>> (bug 9316) is here...
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@59069 f38db490-d61c-443f-a65b-d21fe96a405b
-rw-r--r-- | apps/app_stack.c | 231 | ||||
-rw-r--r-- | include/asterisk/ael_structs.h | 1 | ||||
-rw-r--r-- | pbx/pbx_ael.c | 27 |
3 files changed, 216 insertions, 43 deletions
diff --git a/apps/app_stack.c b/apps/app_stack.c index 34aa8693f..a3124647e 100644 --- a/apps/app_stack.c +++ b/apps/app_stack.c @@ -1,7 +1,7 @@ /* * Asterisk -- An open source telephony toolkit. * - * Copyright (c) 2004-2006 Tilghman Lesher <app_stack_v002@the-tilghman.com>. + * Copyright (c) 2004-2006 Tilghman Lesher <app_stack_v003@the-tilghman.com>. * * This code is released by the author with no restrictions on usage. * @@ -20,7 +20,7 @@ * * \brief Stack applications Gosub, Return, etc. * - * \author Tilghman Lesher <app_stack_v002@the-tilghman.com> + * \author Tilghman Lesher <app_stack_v003@the-tilghman.com> * * \ingroup applications */ @@ -41,10 +41,10 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include "asterisk/pbx.h" #include "asterisk/module.h" #include "asterisk/config.h" +#include "asterisk/app.h" #define STACKVAR "~GOSUB~STACK~" - static const char *app_gosub = "Gosub"; static const char *app_gosubif = "GosubIf"; static const char *app_return = "Return"; @@ -56,63 +56,219 @@ static const char *return_synopsis = "Return from gosub routine"; static const char *pop_synopsis = "Remove one address from gosub stack"; static const char *gosub_descrip = -"Gosub([[context|]exten|]priority)\n" +"Gosub([[context|]exten|]priority[(arg1[|...][|argN])])\n" " Jumps to the label specified, saving the return address.\n"; static const char *gosubif_descrip = -"GosubIf(condition?labeliftrue[:labeliffalse])\n" +"GosubIf(condition?labeliftrue[(arg1[|...])][:labeliffalse[(arg1[|...])]])\n" " If the condition is true, then jump to labeliftrue. If false, jumps to\n" "labeliffalse, if specified. In either case, a jump saves the return point\n" "in the dialplan, to be returned to with a Return.\n"; static const char *return_descrip = -"Return()\n" -" Jumps to the last label on the stack, removing it.\n"; +"Return([return-value])\n" +" Jumps to the last label on the stack, removing it. The return value, if\n" +"any, is saved in the channel variable GOSUB_RETVAL.\n"; static const char *pop_descrip = "StackPop()\n" " Removes last label on the stack, discarding it.\n"; +static void gosub_free(void *data); + +static struct ast_datastore_info stack_info = { + .type = "GOSUB", + .destroy = gosub_free, +}; + +struct gosub_stack_frame { + AST_LIST_ENTRY(gosub_stack_frame) entries; + /* 100 arguments is all that we support anyway, but this will handle up to 255 */ + unsigned char arguments; + int priority; + char *context; + char extension[0]; +}; + +static void gosub_release_frame(struct ast_channel *chan, struct gosub_stack_frame *frame) +{ + unsigned char i; + char argname[15]; + + /* If chan is not defined, then we're calling it as part of gosub_free, + * and the channel variables will be deallocated anyway. Otherwise, we're + * just releasing a single frame, so we need to clean up the arguments for + * that frame, so that we re-expose the variables from the previous frame + * that were hidden by this one. + */ + if (chan) { + for (i = 1; i <= frame->arguments && i != 0; i++) { + snprintf(argname, sizeof(argname), "ARG%hhd", i); + pbx_builtin_setvar_helper(chan, argname, NULL); + } + } + ast_free(frame); +} + +static struct gosub_stack_frame *gosub_allocate_frame(const char *context, const char *extension, int priority, unsigned char arguments) +{ + struct gosub_stack_frame *new = NULL; + int len_extension = strlen(extension), len_context = strlen(context); + + if ((new = ast_calloc(1, sizeof(*new) + 2 + len_extension + len_context))) { + strcpy(new->extension, extension); + new->context = new->extension + len_extension + 1; + strcpy(new->context, context); + new->priority = priority; + new->arguments = arguments; + } + return new; +} + +static void gosub_free(void *data) +{ + AST_LIST_HEAD(, gosub_stack_frame) *oldlist = data; + struct gosub_stack_frame *oldframe; + AST_LIST_LOCK(oldlist); + while ((oldframe = AST_LIST_REMOVE_HEAD(oldlist, entries))) { + gosub_release_frame(NULL, oldframe); + } + AST_LIST_UNLOCK(oldlist); + AST_LIST_HEAD_DESTROY(oldlist); + ast_free(oldlist); +} + static int pop_exec(struct ast_channel *chan, void *data) { - pbx_builtin_setvar_helper(chan, STACKVAR, NULL); + struct ast_datastore *stack_store = ast_channel_datastore_find(chan, &stack_info, NULL); + struct gosub_stack_frame *oldframe; + AST_LIST_HEAD(, gosub_stack_frame) *oldlist; + + if (!stack_store) { + ast_log(LOG_WARNING, "%s called with no gosub stack allocated.\n", app_pop); + return 0; + } + + oldlist = stack_store->data; + AST_LIST_LOCK(oldlist); + oldframe = AST_LIST_REMOVE_HEAD(oldlist, entries); + AST_LIST_UNLOCK(oldlist); + + if (oldframe) + gosub_release_frame(chan, oldframe); + else if (option_debug) + ast_log(LOG_DEBUG, "%s called with an empty gosub stack\n", app_pop); return 0; } static int return_exec(struct ast_channel *chan, void *data) { - const char *label = pbx_builtin_getvar_helper(chan, STACKVAR); + struct ast_datastore *stack_store = ast_channel_datastore_find(chan, &stack_info, NULL); + struct gosub_stack_frame *oldframe; + AST_LIST_HEAD(, gosub_stack_frame) *oldlist; + char *retval = data; - if (ast_strlen_zero(label)) { - ast_log(LOG_ERROR, "Return without Gosub: stack is empty\n"); + if (!stack_store) { + ast_log(LOG_ERROR, "Return without Gosub: stack is unallocated\n"); return -1; - } else if (ast_parseable_goto(chan, label)) { - ast_log(LOG_WARNING, "No next statement after Gosub?\n"); + } + + oldlist = stack_store->data; + AST_LIST_LOCK(oldlist); + oldframe = AST_LIST_REMOVE_HEAD(oldlist, entries); + AST_LIST_UNLOCK(oldlist); + + if (!oldframe) { + ast_log(LOG_ERROR, "Return without Gosub: stack is empty\n"); return -1; } - pbx_builtin_setvar_helper(chan, STACKVAR, NULL); + ast_explicit_goto(chan, oldframe->context, oldframe->extension, oldframe->priority); + gosub_release_frame(chan, oldframe); + + /* Set a return value, if any */ + pbx_builtin_setvar_helper(chan, "GOSUB_RETVAL", S_OR(retval, "")); return 0; } static int gosub_exec(struct ast_channel *chan, void *data) { - char newlabel[AST_MAX_EXTENSION * 2 + 3 + 11]; + struct ast_datastore *stack_store = ast_channel_datastore_find(chan, &stack_info, NULL); + AST_LIST_HEAD(, gosub_stack_frame) *oldlist; + struct gosub_stack_frame *newframe; + char argname[15], *tmp = ast_strdupa(data), *label, *endparen; + int i; struct ast_module_user *u; + AST_DECLARE_APP_ARGS(args2, + AST_APP_ARG(argval)[100]; + ); if (ast_strlen_zero(data)) { - ast_log(LOG_ERROR, "%s requires an argument: %s([[context|]exten|]priority)\n", app_gosub, app_gosub); + ast_log(LOG_ERROR, "%s requires an argument: %s([[context|]exten|]priority[(arg1[|...][|argN])])\n", app_gosub, app_gosub); return -1; } u = ast_module_user_add(chan); - snprintf(newlabel, sizeof(newlabel), "%s|%s|%d", chan->context, chan->exten, chan->priority + 1); - if (ast_parseable_goto(chan, data)) { + if (!stack_store) { + if (option_debug) + ast_log(LOG_DEBUG, "Channel %s has no datastore, so we're allocating one.\n", chan->name); + stack_store = ast_channel_datastore_alloc(&stack_info, NULL); + if (!stack_store) { + ast_log(LOG_ERROR, "Unable to allocate new datastore. Gosub will fail.\n"); + ast_module_user_remove(u); + return -1; + } + + oldlist = ast_calloc(1, sizeof(*oldlist)); + if (!oldlist) { + ast_log(LOG_ERROR, "Unable to allocate datastore list head. Gosub will fail.\n"); + ast_channel_datastore_free(stack_store); + ast_module_user_remove(u); + return -1; + } + + stack_store->data = oldlist; + AST_LIST_HEAD_INIT(oldlist); + ast_channel_datastore_add(chan, stack_store); + } + + /* Separate the arguments from the label */ + /* NOTE: you cannot use ast_app_separate_args for this, because '(' cannot be used as a delimiter. */ + label = strsep(&tmp, "("); + if (tmp) { + endparen = strrchr(tmp, ')'); + if (endparen) + *endparen = '\0'; + else + ast_log(LOG_WARNING, "Ouch. No closing paren: '%s'?\n", (char *)data); + AST_STANDARD_APP_ARGS(args2, tmp); + } else + args2.argc = 0; + + /* Create the return address, but don't save it until we know that the Gosub destination exists */ + newframe = gosub_allocate_frame(chan->context, chan->exten, chan->priority + 1, args2.argc); + + if (ast_parseable_goto(chan, label)) { + ast_log(LOG_ERROR, "Gosub address is invalid: '%s'\n", (char *)data); + ast_free(newframe); ast_module_user_remove(u); return -1; } - pbx_builtin_pushvar_helper(chan, STACKVAR, newlabel); + /* Now that we know for certain that we're going to a new location, set our arguments */ + for (i = 0; i < args2.argc; i++) { + snprintf(argname, sizeof(argname), "ARG%d", i + 1); + pbx_builtin_pushvar_helper(chan, argname, args2.argval[i]); + if (option_debug) + ast_log(LOG_DEBUG, "Setting '%s' to '%s'\n", argname, args2.argval[i]); + } + + /* And finally, save our return address */ + oldlist = stack_store->data; + AST_LIST_LOCK(oldlist); + AST_LIST_INSERT_HEAD(oldlist, newframe, entries); + AST_LIST_UNLOCK(oldlist); + ast_module_user_remove(u); return 0; @@ -121,28 +277,39 @@ static int gosub_exec(struct ast_channel *chan, void *data) static int gosubif_exec(struct ast_channel *chan, void *data) { struct ast_module_user *u; - char *condition="", *label1, *label2, *args; + char *args; int res=0; + AST_DECLARE_APP_ARGS(cond, + AST_APP_ARG(ition); + AST_APP_ARG(labels); + ); + AST_DECLARE_APP_ARGS(label, + AST_APP_ARG(iftrue); + AST_APP_ARG(iffalse); + ); if (ast_strlen_zero(data)) { - ast_log(LOG_WARNING, "GosubIf requires an argument\n"); + ast_log(LOG_WARNING, "GosubIf requires an argument: GosubIf(cond?label1(args):label2(args)\n"); return 0; } - args = ast_strdupa(data); - u = ast_module_user_add(chan); - condition = strsep(&args, "?"); - label1 = strsep(&args, ":"); - label2 = args; + args = ast_strdupa(data); + AST_NONSTANDARD_APP_ARGS(cond, args, '?'); + if (cond.argc != 2) { + ast_log(LOG_WARNING, "GosubIf requires an argument: GosubIf(cond?label1(args):label2(args)\n"); + ast_module_user_remove(u); + return 0; + } - if (pbx_checkcondition(condition)) { - if (label1) { - res = gosub_exec(chan, label1); - } - } else if (label2) { - res = gosub_exec(chan, label2); + AST_NONSTANDARD_APP_ARGS(label, cond.labels, ':'); + + if (pbx_checkcondition(cond.ition)) { + if (!ast_strlen_zero(label.iftrue)) + res = gosub_exec(chan, label.iftrue); + } else if (!ast_strlen_zero(label.iffalse)) { + res = gosub_exec(chan, label.iffalse); } ast_module_user_remove(u); diff --git a/include/asterisk/ael_structs.h b/include/asterisk/ael_structs.h index e17d302ee..9b5581d6c 100644 --- a/include/asterisk/ael_structs.h +++ b/include/asterisk/ael_structs.h @@ -176,6 +176,7 @@ struct ael_extension char *cidmatch; char *hints; int regexten; + int is_switch; struct ast_context *context; diff --git a/pbx/pbx_ael.c b/pbx/pbx_ael.c index 6b787b8e0..85debdc99 100644 --- a/pbx/pbx_ael.c +++ b/pbx/pbx_ael.c @@ -3055,7 +3055,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, switch_end = new_prio(); switch_test->type = AEL_APPCALL; switch_end->type = AEL_APPCALL; - snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",control_statement_count, p->u1.str); + snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",control_statement_count, p->u1.str); switch_test->app = strdup("Goto"); switch_test->appargs = strdup(buf1); snprintf(buf1,sizeof(buf1),"Finish switch-%s-%d", label, control_statement_count); @@ -3077,6 +3077,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, /* ok, generate a extension and link it in */ switch_case = new_exten(); switch_case->context = this_context; + switch_case->is_switch = 1; /* the break/continue locations are inherited from parent */ switch_case->loop_break = exten->loop_break; switch_case->loop_continue = exten->loop_continue; @@ -3100,7 +3101,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, fall_thru = new_prio(); fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); - snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, p2->next->u1.str); + snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, p2->next->u1.str); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (p2->next && p2->next->type == PV_PATTERN) { @@ -3108,14 +3109,14 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); gen_match_to_pattern(p2->next->u1.str, buf2); - snprintf(buf1,sizeof(buf1),"sw-%d-%s|1", local_control_statement_count, buf2); + snprintf(buf1,sizeof(buf1),"sw-%d-%s|10", local_control_statement_count, buf2); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (p2->next && p2->next->type == PV_DEFAULT) { fall_thru = new_prio(); fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); - snprintf(buf1,sizeof(buf1),"sw-%d-.|1",local_control_statement_count); + snprintf(buf1,sizeof(buf1),"sw-%d-.|10",local_control_statement_count); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (!p2->next) { @@ -3140,6 +3141,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, /* ok, generate a extension and link it in */ switch_case = new_exten(); switch_case->context = this_context; + switch_case->is_switch = 1; /* the break/continue locations are inherited from parent */ switch_case->loop_break = exten->loop_break; switch_case->loop_continue = exten->loop_continue; @@ -3162,7 +3164,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, fall_thru = new_prio(); fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); - snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, p2->next->u1.str); + snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, p2->next->u1.str); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (p2->next && p2->next->type == PV_PATTERN) { @@ -3170,14 +3172,14 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); gen_match_to_pattern(p2->next->u1.str, buf2); - snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, buf2); + snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, buf2); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (p2->next && p2->next->type == PV_DEFAULT) { fall_thru = new_prio(); fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); - snprintf(buf1,sizeof(buf1),"sw-%d-.|1",local_control_statement_count); + snprintf(buf1,sizeof(buf1),"sw-%d-.|10",local_control_statement_count); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (!p2->next) { @@ -3203,6 +3205,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, /* ok, generate a extension and link it in */ switch_case = new_exten(); switch_case->context = this_context; + switch_case->is_switch = 1; /* the break/continue locations are inherited from parent */ switch_case->loop_break = exten->loop_break; switch_case->loop_continue = exten->loop_continue; @@ -3226,7 +3229,7 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, fall_thru = new_prio(); fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); - snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, p2->next->u1.str); + snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, p2->next->u1.str); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (p2->next && p2->next->type == PV_PATTERN) { @@ -3234,14 +3237,14 @@ static void gen_prios(struct ael_extension *exten, char *label, pval *statement, fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); gen_match_to_pattern(p2->next->u1.str, buf2); - snprintf(buf1,sizeof(buf1),"sw-%d-%s|1",local_control_statement_count, buf2); + snprintf(buf1,sizeof(buf1),"sw-%d-%s|10",local_control_statement_count, buf2); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (p2->next && p2->next->type == PV_DEFAULT) { fall_thru = new_prio(); fall_thru->type = AEL_APPCALL; fall_thru->app = strdup("Goto"); - snprintf(buf1,sizeof(buf1),"sw-%d-.|1",local_control_statement_count); + snprintf(buf1,sizeof(buf1),"sw-%d-.|10",local_control_statement_count); fall_thru->appargs = strdup(buf1); linkprio(switch_case, fall_thru); } else if (!p2->next) { @@ -3513,7 +3516,9 @@ void set_priorities(struct ael_extension *exten) int i; struct ael_priority *pr; do { - if (exten->regexten) + if (exten->is_switch) + i = 10; + else if (exten->regexten) i=2; else i=1; |