Re: LuaSocket: No way to protect against fuzzing attacks?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: LuaSocket: No way to protect against fuzzing attacks?
From: Stefan Reich <stefan.reich.maker.of.eye@...>
Date: Tue, 11 Oct 2011 14:54:24 +0000

On Tue, Oct 11, 2011 at 2:23 PM, Javier Guerra Giraldez
<javier@guerrag.com> wrote:
> Copas and Xavante are written like that --- some people think they're fun :-)

Yeah, I think this is totally a solvable problem.

Use socket.select to wait for data. Then read from all sockets with
data in the queue. Simple as that. You can't get stalled that way, no
matter how slowly someone sends you data.

On top of that, just drop any connection as soon as it appears not to
be worthwhile. (Takes too long to deliver data, or too many headers.)

Doesn't that solve all your "fuzzing attack" problems?

[I didn't know that it is called fuzzing btw. Is that a well-known
term this side of the great beltway? :)]

We should put up some HTTP servers and try to fuzz them.

(Well, if the spirit of this list was not disencouraging actual
collaboration, we would...)

Cheers,
Stefan

References:
- LuaSocket: No way to protect against fuzzing attacks?, HyperHacker
- Re: LuaSocket: No way to protect against fuzzing attacks?, Peter Pimley
- Re: LuaSocket: No way to protect against fuzzing attacks?, Sean Conner
- Re: LuaSocket: No way to protect against fuzzing attacks?, Javier Guerra Giraldez

Prev by Date: Is it hard to write a fast JIT for a language that distinguishes between NULL and Int32=0
Next by Date: Re: Using Lua's memory allocator
Previous by thread: Re: LuaSocket: No way to protect against fuzzing attacks?
Next by thread: Re: LuaSocket: No way to protect against fuzzing attacks?
Index(es):
- Date
- Thread