5 files changed, 25 insertions, 11 deletions

diff --git a/src/shared/install-printf.c b/src/shared/install-printf.c
index 6bc3f15def..a697b5c4e7 100644
--- a/src/shared/install-printf.c
+++ b/src/shared/install-printf.c
@@ -103,7 +103,7 @@ static int specifier_last_component(char specifier, const void *data, const void
         return 0;
 }
 
-int install_full_printf(const UnitFileInstallInfo *i, const char *format, char **ret) {
+int install_full_printf_internal(const UnitFileInstallInfo *i, const char *format, size_t max_length, char **ret) {
         /* This is similar to unit_name_printf() */
 
         const Specifier table[] = {
@@ -123,5 +123,5 @@ int install_full_printf(const UnitFileInstallInfo *i, const char *format, char *
         assert(format);
         assert(ret);
 
-        return specifier_printf(format, table, i, ret);
+        return specifier_printf(format, max_length, table, i, ret);
 }
diff --git a/src/shared/install-printf.h b/src/shared/install-printf.h
index 34e129413e..13a39829e9 100644
--- a/src/shared/install-printf.h
+++ b/src/shared/install-printf.h
@@ -2,5 +2,12 @@
 #pragma once
 
 #include "install.h"
+#include "unit-name.h"
 
-int install_full_printf(const UnitFileInstallInfo *i, const char *format, char **ret);
+int install_full_printf_internal(const UnitFileInstallInfo *i, const char *format, size_t max_length, char **ret);
+static inline int install_name_printf(const UnitFileInstallInfo *i, const char *format, char **ret) {
+        return install_full_printf_internal(i, format, UNIT_NAME_MAX, ret);
+}
+static inline int install_path_printf(const UnitFileInstallInfo *i, const char *format, char **ret) {
+        return install_full_printf_internal(i, format, PATH_MAX-1, ret);
+}
diff --git a/src/shared/install.c b/src/shared/install.c
index 3e9f6a3df3..407de0af5e 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -1143,7 +1143,7 @@ static int config_parse_also(
                 if (r == 0)
                         break;
 
-                r = install_full_printf(info, word, &printed);
+                r = install_name_printf(info, word, &printed);
                 if (r < 0)
                         return r;
 
@@ -1190,7 +1190,7 @@ static int config_parse_default_instance(
                 return log_syntax(unit, LOG_WARNING, filename, line, 0,
                                   "DefaultInstance= only makes sense for template units, ignoring.");
 
-        r = install_full_printf(i, rvalue, &printed);
+        r = install_name_printf(i, rvalue, &printed);
         if (r < 0)
                 return r;
 
@@ -1816,7 +1816,7 @@ static int install_info_symlink_alias(
         STRV_FOREACH(s, i->aliases) {
                 _cleanup_free_ char *alias_path = NULL, *dst = NULL, *dst_updated = NULL;
 
-                q = install_full_printf(i, *s, &dst);
+                q = install_path_printf(i, *s, &dst);
                 if (q < 0)
                         return q;
 
@@ -1891,7 +1891,7 @@ static int install_info_symlink_wants(
         STRV_FOREACH(s, list) {
                 _cleanup_free_ char *path = NULL, *dst = NULL;
 
-                q = install_full_printf(i, *s, &dst);
+                q = install_name_printf(i, *s, &dst);
                 if (q < 0)
                         return q;
 
diff --git a/src/shared/specifier.c b/src/shared/specifier.c
index dc86b04b83..ef164b3942 100644
--- a/src/shared/specifier.c
+++ b/src/shared/specifier.c
@@ -29,7 +29,7 @@
  * and "%" used for escaping. */
 #define POSSIBLE_SPECIFIERS ALPHANUMERICAL "%"
 
-int specifier_printf(const char *text, const Specifier table[], const void *userdata, char **ret) {
+int specifier_printf(const char *text, size_t max_length, const Specifier table[], const void *userdata, char **ret) {
         size_t l, allocated = 0;
         _cleanup_free_ char *result = NULL;
         char *t;
@@ -45,7 +45,7 @@ int specifier_printf(const char *text, const Specifier table[], const void *user
                 return -ENOMEM;
         t = result;
 
-        for (f = text; *f; f++, l--)
+        for (f = text; *f != '\0'; f++, l--) {
                 if (percent) {
                         if (*f == '%')
                                 *(t++) = '%';
@@ -86,9 +86,16 @@ int specifier_printf(const char *text, const Specifier table[], const void *user
                 else
                         *(t++) = *f;
 
+                if ((size_t) (t - result) > max_length)
+                        return -ENAMETOOLONG;
+        }
+
         /* If string ended with a stray %, also end with % */
-        if (percent)
+        if (percent) {
                 *(t++) = '%';
+                if ((size_t) (t - result) > max_length)
+                        return -ENAMETOOLONG;
+        }
         *(t++) = 0;
 
         /* Try to deallocate unused bytes, but don't sweat it too much */
diff --git a/src/shared/specifier.h b/src/shared/specifier.h
index 6735a7a363..0c5bb3d0c4 100644
--- a/src/shared/specifier.h
+++ b/src/shared/specifier.h
@@ -11,7 +11,7 @@ typedef struct Specifier {
         const void *data;
 } Specifier;
 
-int specifier_printf(const char *text, const Specifier table[], const void *userdata, char **ret);
+int specifier_printf(const char *text, size_t max_length, const Specifier table[], const void *userdata, char **ret);
 
 int specifier_string(char specifier, const void *data, const void *userdata, char **ret);