tree-wide: refuse too long strings earlier in specifier_printf()

yuwata · yuwata · commit 065364920281 · 2021-05-12T10:26:07.000+09:00
We usually call specifier_printf() and then check the validity of
the result. In many cases, validity checkers, e.g. path_is_valid(),
refuse too long strings. This makes specifier_printf() refuse such
long results earlier.

Moreover, unit_full_string() and description field in sysuser now
refuse results longer than LONG_LINE_MAX. config_parse() already
refuses the line longer than LONG_LINE_MAX. Hence, it should be ok
to set the same value as the maximum length of the resolved string.
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
diff --git a/src/core/unit-printf.c b/src/core/unit-printf.c
@@ -201,10 +201,10 @@ int unit_name_printf(const Unit *u, const char* format, char **ret) {
         assert(format);
         assert(ret);
 
-        return specifier_printf(format, table, u, ret);
+        return specifier_printf(format, UNIT_NAME_MAX, table, u, ret);
 }
 
-int unit_full_printf(const Unit *u, const char *format, char **ret) {
+int unit_full_printf_full(const Unit *u, const char *format, size_t max_length, char **ret) {
         /* This is similar to unit_name_printf() but also supports unescaping. Also, adds a couple of additional codes
          * (which are likely not suitable for unescaped inclusion in unit names):
          *
@@ -265,5 +265,5 @@ int unit_full_printf(const Unit *u, const char *format, char **ret) {
                 {}
         };
 
-        return specifier_printf(format, table, u, ret);
+        return specifier_printf(format, max_length, table, u, ret);
 }
diff --git a/src/core/unit-printf.h b/src/core/unit-printf.h
@@ -1,7 +1,26 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#include "creds-util.h"
+#include "env-util.h"
+#include "fd-util.h"
+#include "fileio.h"
 #include "unit.h"
 
 int unit_name_printf(const Unit *u, const char* text, char **ret);
-int unit_full_printf(const Unit *u, const char *text, char **ret);
+int unit_full_printf_full(const Unit *u, const char *text, size_t max_length, char **ret);
+static inline int unit_full_printf(const Unit *u, const char *text, char **ret) {
+        return unit_full_printf_full(u, text, LONG_LINE_MAX, ret);
+}
+static inline int unit_path_printf(const Unit *u, const char *text, char **ret) {
+        return unit_full_printf_full(u, text, PATH_MAX-1, ret);
+}
+static inline int unit_fd_printf(const Unit *u, const char *text, char **ret) {
+        return unit_full_printf_full(u, text, FDNAME_MAX, ret);
+}
+static inline int unit_cred_printf(const Unit *u, const char *text, char **ret) {
+        return unit_full_printf_full(u, text, CREDENTIAL_NAME_MAX, ret);
+}
+static inline int unit_env_printf(const Unit *u, const char *text, char **ret) {
+        return unit_full_printf_full(u, text, sc_arg_max(), ret);
+}
diff --git a/src/partition/repart.c b/src/partition/repart.c
@@ -977,7 +977,7 @@ static int config_parse_label(
         /* Nota bene: the empty label is a totally valid one. Let's hence not follow our usual rule of
          * assigning the empty string to reset to default here, but really accept it as label to set. */
 
-        r = specifier_printf(rvalue, specifier_table, NULL, &resolved);
+        r = specifier_printf(rvalue, GPT_LABEL_MAX, specifier_table, NULL, &resolved);
         if (r < 0) {
                 log_syntax(unit, LOG_WARNING, filename, line, r,
                            "Failed to expand specifiers in Label=, ignoring: %s", rvalue);
@@ -1142,7 +1142,7 @@ static int config_parse_copy_files(
         if (!isempty(p))
                 return log_syntax(unit, LOG_ERR, filename, line, SYNTHETIC_ERRNO(EINVAL), "Too many arguments: %s", rvalue);
 
-        r = specifier_printf(source, specifier_table, NULL, &resolved_source);
+        r = specifier_printf(source, PATH_MAX-1, specifier_table, NULL, &resolved_source);
         if (r < 0) {
                 log_syntax(unit, LOG_WARNING, filename, line, r,
                            "Failed to expand specifiers in CopyFiles= source, ignoring: %s", rvalue);
@@ -1153,7 +1153,7 @@ static int config_parse_copy_files(
         if (r < 0)
                 return 0;
 
-        r = specifier_printf(target, specifier_table, NULL, &resolved_target);
+        r = specifier_printf(target, PATH_MAX-1, specifier_table, NULL, &resolved_target);
         if (r < 0) {
                 log_syntax(unit, LOG_WARNING, filename, line, r,
                            "Failed to expand specifiers in CopyFiles= target, ignoring: %s", resolved_target);
@@ -1202,7 +1202,7 @@ static int config_parse_copy_blocks(
                 return 0;
         }
 
-        r = specifier_printf(rvalue, specifier_table, NULL, &d);
+        r = specifier_printf(rvalue, PATH_MAX-1, specifier_table, NULL, &d);
         if (r < 0) {
                 log_syntax(unit, LOG_WARNING, filename, line, r,
                            "Failed to expand specifiers in CopyBlocks= source path, ignoring: %s", rvalue);
@@ -1250,7 +1250,7 @@ static int config_parse_make_dirs(
                 if (r == 0)
                         return 0;
 
-                r = specifier_printf(word, specifier_table, NULL, &d);
+                r = specifier_printf(word, PATH_MAX-1, specifier_table, NULL, &d);
                 if (r < 0) {
                         log_syntax(unit, LOG_WARNING, filename, line, r,
                                    "Failed to expand specifiers in MakeDirectories= parameter, ignoring: %s", word);
diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c
@@ -255,7 +255,7 @@ int config_parse_dnssd_service_name(
                 return 0;
         }
 
-        r = specifier_printf(rvalue, specifier_table, NULL, &name);
+        r = specifier_printf(rvalue, DNS_LABEL_MAX, specifier_table, NULL, &name);
         if (r < 0) {
                 log_syntax(unit, LOG_WARNING, filename, line, r,
                            "Invalid service instance name template '%s', ignoring assignment: %m", rvalue);
diff --git a/src/resolve/resolved-dnssd.c b/src/resolve/resolved-dnssd.c
@@ -170,7 +170,7 @@ int dnssd_render_instance_name(DnssdService *s, char **ret_name) {
         assert(s);
         assert(s->name_template);
 
-        r = specifier_printf(s->name_template, specifier_table, s, &name);
+        r = specifier_printf(s->name_template, DNS_LABEL_MAX, specifier_table, s, &name);
         if (r < 0)
                 return log_debug_errno(r, "Failed to replace specifiers: %m");
 
diff --git a/src/shared/install-printf.c b/src/shared/install-printf.c
@@ -103,7 +103,7 @@ static int specifier_last_component(char specifier, const void *data, const void
         return 0;
 }
 
-int install_full_printf(const UnitFileInstallInfo *i, const char *format, char **ret) {
+int install_full_printf_internal(const UnitFileInstallInfo *i, const char *format, size_t max_length, char **ret) {
         /* This is similar to unit_name_printf() */
 
         const Specifier table[] = {
@@ -123,5 +123,5 @@ int install_full_printf(const UnitFileInstallInfo *i, const char *format, char *
         assert(format);
         assert(ret);
 
-        return specifier_printf(format, table, i, ret);
+        return specifier_printf(format, max_length, table, i, ret);
 }
diff --git a/src/shared/install-printf.h b/src/shared/install-printf.h
@@ -2,5 +2,12 @@
 #pragma once
 
 #include "install.h"
+#include "unit-name.h"
 
-int install_full_printf(const UnitFileInstallInfo *i, const char *format, char **ret);
+int install_full_printf_internal(const UnitFileInstallInfo *i, const char *format, size_t max_length, char **ret);
+static inline int install_name_printf(const UnitFileInstallInfo *i, const char *format, char **ret) {
+        return install_full_printf_internal(i, format, UNIT_NAME_MAX, ret);
+}
+static inline int install_path_printf(const UnitFileInstallInfo *i, const char *format, char **ret) {
+        return install_full_printf_internal(i, format, PATH_MAX-1, ret);
+}
diff --git a/src/shared/install.c b/src/shared/install.c
@@ -1143,7 +1143,7 @@ static int config_parse_also(
                 if (r == 0)
                         break;
 
-                r = install_full_printf(info, word, &printed);
+                r = install_name_printf(info, word, &printed);
                 if (r < 0)
                         return r;
 
@@ -1190,7 +1190,7 @@ static int config_parse_default_instance(
                 return log_syntax(unit, LOG_WARNING, filename, line, 0,
                                   "DefaultInstance= only makes sense for template units, ignoring.");
 
-        r = install_full_printf(i, rvalue, &printed);
+        r = install_name_printf(i, rvalue, &printed);
         if (r < 0)
                 return r;
 
@@ -1816,7 +1816,7 @@ static int install_info_symlink_alias(
         STRV_FOREACH(s, i->aliases) {
                 _cleanup_free_ char *alias_path = NULL, *dst = NULL, *dst_updated = NULL;
 
-                q = install_full_printf(i, *s, &dst);
+                q = install_path_printf(i, *s, &dst);
                 if (q < 0)
                         return q;
 
@@ -1891,7 +1891,7 @@ static int install_info_symlink_wants(
         STRV_FOREACH(s, list) {
                 _cleanup_free_ char *path = NULL, *dst = NULL;
 
-                q = install_full_printf(i, *s, &dst);
+                q = install_name_printf(i, *s, &dst);
                 if (q < 0)
                         return q;
 
diff --git a/src/shared/specifier.c b/src/shared/specifier.c
@@ -29,7 +29,7 @@
  * and "%" used for escaping. */
 #define POSSIBLE_SPECIFIERS ALPHANUMERICAL "%"
 
-int specifier_printf(const char *text, const Specifier table[], const void *userdata, char **ret) {
+int specifier_printf(const char *text, size_t max_length, const Specifier table[], const void *userdata, char **ret) {
         size_t l, allocated = 0;
         _cleanup_free_ char *result = NULL;
         char *t;
@@ -45,7 +45,7 @@ int specifier_printf(const char *text, const Specifier table[], const void *user
                 return -ENOMEM;
         t = result;
 
-        for (f = text; *f; f++, l--)
+        for (f = text; *f != '\0'; f++, l--) {
                 if (percent) {
                         if (*f == '%')
                                 *(t++) = '%';
@@ -86,9 +86,16 @@ int specifier_printf(const char *text, const Specifier table[], const void *user
                 else
                         *(t++) = *f;
 
+                if ((size_t) (t - result) > max_length)
+                        return -ENAMETOOLONG;
+        }
+
         /* If string ended with a stray %, also end with % */
-        if (percent)
+        if (percent) {
                 *(t++) = '%';
+                if ((size_t) (t - result) > max_length)
+                        return -ENAMETOOLONG;
+        }
         *(t++) = 0;
 
         /* Try to deallocate unused bytes, but don't sweat it too much */
diff --git a/src/shared/specifier.h b/src/shared/specifier.h
@@ -11,7 +11,7 @@ typedef struct Specifier {
         const void *data;
 } Specifier;
 
-int specifier_printf(const char *text, const Specifier table[], const void *userdata, char **ret);
+int specifier_printf(const char *text, size_t max_length, const Specifier table[], const void *userdata, char **ret);
 
 int specifier_string(char specifier, const void *data, const void *userdata, char **ret);
 
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
@@ -1492,7 +1492,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
                 name = mfree(name);
 
         if (name) {
-                r = specifier_printf(name, specifier_table, NULL, &resolved_name);
+                r = specifier_printf(name, NAME_MAX, specifier_table, NULL, &resolved_name);
                 if (r < 0)
                         return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m", fname, line, name);
 
@@ -1507,7 +1507,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
                 id = mfree(id);
 
         if (id) {
-                r = specifier_printf(id, specifier_table, NULL, &resolved_id);
+                r = specifier_printf(id, PATH_MAX-1, specifier_table, NULL, &resolved_id);
                 if (r < 0)
                         return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
                                                fname, line, name);
@@ -1518,7 +1518,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
                 description = mfree(description);
 
         if (description) {
-                r = specifier_printf(description, specifier_table, NULL, &resolved_description);
+                r = specifier_printf(description, LONG_LINE_MAX, specifier_table, NULL, &resolved_description);
                 if (r < 0)
                         return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
                                                fname, line, description);
@@ -1534,7 +1534,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
                 home = mfree(home);
 
         if (home) {
-                r = specifier_printf(home, specifier_table, NULL, &resolved_home);
+                r = specifier_printf(home, PATH_MAX-1, specifier_table, NULL, &resolved_home);
                 if (r < 0)
                         return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
                                                fname, line, home);
@@ -1550,7 +1550,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
                 shell = mfree(shell);
 
         if (shell) {
-                r = specifier_printf(shell, specifier_table, NULL, &resolved_shell);
+                r = specifier_printf(shell, PATH_MAX-1, specifier_table, NULL, &resolved_shell);
                 if (r < 0)
                         return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
                                                fname, line, shell);
diff --git a/src/test/test-load-fragment.c b/src/test/test-load-fragment.c
@@ -512,7 +512,7 @@ static void test_install_printf(void) {
                 _cleanup_free_ char                                     \
                         *d1 = strdup(i.name),                           \
                         *d2 = strdup(i.path);                           \
-                assert_se(install_full_printf(&src, pattern, &t) >= 0 || !result); \
+                assert_se(install_name_printf(&src, pattern, &t) >= 0 || !result); \
                 memzero(i.name, strlen(i.name));                        \
                 memzero(i.path, strlen(i.path));                        \
                 assert_se(d1 && d2);                                    \
diff --git a/src/test/test-specifier.c b/src/test/test-specifier.c
@@ -69,21 +69,21 @@ static void test_specifier_printf(void) {
 
         log_info("/* %s */", __func__);
 
-        r = specifier_printf("xxx a=%X b=%Y yyy", table, NULL, &w);
+        r = specifier_printf("xxx a=%X b=%Y yyy", SIZE_MAX, table, NULL, &w);
         assert_se(r >= 0);
         assert_se(w);
 
         puts(w);
         assert_se(streq(w, "xxx a=AAAA b=BBBB yyy"));
 
         free(w);
-        r = specifier_printf("machine=%m, boot=%b, host=%H, version=%v, arch=%a", table, NULL, &w);
+        r = specifier_printf("machine=%m, boot=%b, host=%H, version=%v, arch=%a", SIZE_MAX, table, NULL, &w);
         assert_se(r >= 0);
         assert_se(w);
         puts(w);
 
         w = mfree(w);
-        specifier_printf("os=%o, os-version=%w, build=%B, variant=%W", table, NULL, &w);
+        specifier_printf("os=%o, os-version=%w, build=%B, variant=%W", SIZE_MAX, table, NULL, &w);
         if (w)
                 puts(w);
 }
@@ -97,7 +97,7 @@ static void test_specifiers(void) {
 
                 xsprintf(spec, "%%%c", s->specifier);
 
-                assert_se(specifier_printf(spec, specifier_table, NULL, &resolved) >= 0);
+                assert_se(specifier_printf(spec, SIZE_MAX, specifier_table, NULL, &resolved) >= 0);
 
                 log_info("%%%c → %s", s->specifier, resolved);
         }
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
@@ -2522,7 +2522,7 @@ static int specifier_expansion_from_arg(Item *i) {
                 if (r < 0)
                         return log_error_errno(r, "Failed to unescape parameter to write: %s", i->argument);
 
-                r = specifier_printf(unescaped, specifier_table, NULL, &resolved);
+                r = specifier_printf(unescaped, PATH_MAX-1, specifier_table, NULL, &resolved);
                 if (r < 0)
                         return r;
 
@@ -2532,7 +2532,7 @@ static int specifier_expansion_from_arg(Item *i) {
         case SET_XATTR:
         case RECURSIVE_SET_XATTR:
                 STRV_FOREACH(xattr, i->xattrs) {
-                        r = specifier_printf(*xattr, specifier_table, NULL, &resolved);
+                        r = specifier_printf(*xattr, SIZE_MAX, specifier_table, NULL, &resolved);
                         if (r < 0)
                                 return r;
 
@@ -2706,7 +2706,7 @@ static int parse_line(
         i.append_or_force = append_or_force;
         i.allow_failure = allow_failure;
 
-        r = specifier_printf(path, specifier_table, NULL, &i.path);
+        r = specifier_printf(path, PATH_MAX-1, specifier_table, NULL, &i.path);
         if (r == -ENXIO)
                 return log_unresolvable_specifier(fname, line);
         if (r < 0) {

Original file line number	Diff line number	Diff line change
`@@ -201,10 +201,10 @@ int unit_name_printf(const Unit u, const char format, char **ret) {`
`201`	`201`	`assert(format);`
`202`	`202`	`assert(ret);`
`203`	`203`
`204`		`- return specifier_printf(format, table, u, ret);`
	`204`	`+ return specifier_printf(format, UNIT_NAME_MAX, table, u, ret);`
`205`	`205`	`}`
`206`	`206`
`207`		`-int unit_full_printf(const Unit u, const char format, char **ret) {`
	`207`	`+int unit_full_printf_full(const Unit u, const char format, size_t max_length, char **ret) {`
`208`	`208`	`/* This is similar to unit_name_printf() but also supports unescaping. Also, adds a couple of additional codes`
`209`	`209`	`* (which are likely not suitable for unescaped inclusion in unit names):`
`210`	`210`	`*`
`@@ -265,5 +265,5 @@ int unit_full_printf(const Unit u, const char format, char **ret) {`
`265`	`265`	`{}`
`266`	`266`	`};`
`267`	`267`
`268`		`- return specifier_printf(format, table, u, ret);`
	`268`	`+ return specifier_printf(format, max_length, table, u, ret);`
`269`	`269`	`}`
Original file line number	Diff line number	Diff line change
`@@ -255,7 +255,7 @@ int config_parse_dnssd_service_name(`
`255`	`255`	`return 0;`
`256`	`256`	`}`
`257`	`257`
`258`		`- r = specifier_printf(rvalue, specifier_table, NULL, &name);`
	`258`	`+ r = specifier_printf(rvalue, DNS_LABEL_MAX, specifier_table, NULL, &name);`
`259`	`259`	`if (r < 0) {`
`260`	`260`	`log_syntax(unit, LOG_WARNING, filename, line, r,`
`261`	`261`	`"Invalid service instance name template '%s', ignoring assignment: %m", rvalue);`
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ static int specifier_last_component(char specifier, const void *data, const void`
`103`	`103`	`return 0;`
`104`	`104`	`}`
`105`	`105`
`106`		`-int install_full_printf(const UnitFileInstallInfo i, const char format, char **ret) {`
	`106`	`+int install_full_printf_internal(const UnitFileInstallInfo i, const char format, size_t max_length, char **ret) {`
`107`	`107`	`/* This is similar to unit_name_printf() */`
`108`	`108`
`109`	`109`	`const Specifier table[] = {`
`@@ -123,5 +123,5 @@ int install_full_printf(const UnitFileInstallInfo i, const char format, char *`
`123`	`123`	`assert(format);`
`124`	`124`	`assert(ret);`
`125`	`125`
`126`		`- return specifier_printf(format, table, i, ret);`
	`126`	`+ return specifier_printf(format, max_length, table, i, ret);`
`127`	`127`	`}`