[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: string.find security questions
- From: Jonas Thiem <jonasthiem@...>
- Date: Tue, 2 Apr 2013 20:50:26 +0200
Hi everyone,
In the light of the recent C stack overflow issue with string.find,
there were a few questions that crossed my mind:
Regarding the impact of the string.find crash:
- does this allow code injection (possibly, if someone was really
serious on trying to exploit that)? overflowing the C stack doesn't
exactly sound like a safe operation...
- are there any other string functions that might allow a C stack
overflow in a similar way?
Regarding avoiding the string.find crash:
- is there any way to block this by e.g. limiting the length of the
first argument (e.g. to 100 or 1000 chars)? or are there specific
patterns that can trigger the same issue with a much smaller length
already
- would the Lua developers consider adding in a sane limit into the
string.find code whereever it makes sense, configurable through the
luaconf, which cancels the operation before the risk of a C stack
overrun occurs?
- alternatively, is there a way string.find could be implemented using
the heap instead of the stack with a possibly less fatal outcome when
huge patterns are searched? maybe this could be added with an option
to activate in luaconf, so those who prefer a faster(?) stack-focussed
implementation can stick to the old way
Sorry if any of those questions were already asked, a search for
"string.find" and "string.find stack" in the list archive didn't yield
anything useful.
Regards,
Jonas Thiem
