Skip to content

tpm2_attr_util: tighten token parsing in handle_dispatch to prevent false prefix matches#3557

Open
hyperfinitism wants to merge 1 commit intotpm2-software:masterfrom
hyperfinitism:fix/avoid-prefix-match
Open

tpm2_attr_util: tighten token parsing in handle_dispatch to prevent false prefix matches#3557
hyperfinitism wants to merge 1 commit intotpm2-software:masterfrom
hyperfinitism:fix/avoid-prefix-match

Conversation

@hyperfinitism
Copy link
Copy Markdown
Contributor

@hyperfinitism hyperfinitism commented Feb 19, 2026
edited
Loading

This PR fixes the token parsing logic in tpm2_attr_util.c to prevent false matches (e.g. name="foo" vs token="foobar...") and spurious dispatch_err returns during dispatch table iteration.

  • Inline token_match() into handle_dispatch(). This helper was file-local (no prototype in a public header), so this is not a breaking API change.
  • Require an exact match for no-arg tokens (strcmp(token, name)). The previous implementation could incorrectly accept prefix matches.
  • Require arg tokens to be in the strict "name=arg" form to avoid prefix matches. The previous implementation could incorrectly accept prefix matches.
  • Split tokens on '=' only after a confirmed match so non-matching table entries do not fail parsing.

This also silences discarded-qualifiers warnings/errors (related: #3556).

@JuergenReppSIT
Copy link
Copy Markdown
Member

JuergenReppSIT commented Feb 21, 2026

@hyperfinitism Thank you for the PRs. I have changed the usage of const in some cases in PR #3556. If this PR is approved and merged you could rebase your PR and revert the following changes in Makefile.am:

AM_CFLAGS += -DCMOCKA_ENABLE_DEPRECATED=1
AM_CFLAGS += -Wno-error=deprecated-declarations
AM_CFLAGS += -Wno-error=discarded-qualifiers

Also the Arch Linux tests should work.

@JuergenReppSIT
Copy link
Copy Markdown
Member

JuergenReppSIT commented Feb 25, 2026

@hyperfinitism your change would produce a CLI break.
e.g. the following command, which works in the current version , would produce an error:

` tpm2_createprimary -c primary.ctx -a "fixedt|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt"

( fixedtpm is replaced with fixedt)

@hyperfinitism
fix(tpm2_attr_util): tighten token parsing in handle_dispatch
b9769c1 
Prevents false matches like (name = "foo" vs. token = "foobar...") and
spurious dispatch_err during table iteration.

- Inline token_match() into handle_dispatch()
- no-arg tokens require exact strcmp(token, name) match
- arg tokens must be in "name=arg" form, which avoid prefix matches
- Split token on '=' only after a confirmed match; keep non-matching
  entries from failing

Signed-off-by: Takuma IMAMURA <209989118+hyperfinitism@users.noreply.github.com>
@hyperfinitism
Copy link
Copy Markdown
Contributor Author

hyperfinitism commented Feb 27, 2026

Yes, this PR is a breaking change.

In the current implementation, token_match() computes match_len = strlen(token) (for no-arg tokens) and then calls strncmp(name, token, match_len), which means the comparison is driven by the length of the token, not the name. This causes a token that is a proper prefix of a name to match, e.g. fixedt would match fixedtpm. This PR changes the behavior so that only exact matches are accepted, which breaks any existing usage relying on prefix matching.

If the current behavior (accepting prefix matches) is intended, this PR can be safely closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Breaking Change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hyperfinitism @JuergenReppSIT @AndreasFuchsTPM