Re: Lua exposure to C vulnerabilities?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Lua exposure to C vulnerabilities?
From: Coda Highland <chighland@...>
Date: Sun, 18 Sep 2016 17:43:33 -0700

On Sun, Sep 18, 2016 at 5:36 PM, Russell Haley <russ.haley@gmail.com> wrote:
> I agree that fixing instability in one's code is best. However, the library is hypothetical. (note, I only have a rudimentary understanding of these issues.) If my 'library' failed to do proper bounds checking and had the potential for buffer overruns (for example) when exposed to a network, would calling said library from Lua protect me?
>
> Russ

No, it would not protect you that way.

Best practices when it comes to writing secure code amounts to "don't
do it yourself."

If you want Lua to protect you, then don't write your library in C --
write as much of it as possible in Lua, and only call out to C for the
parts that you can't do in Lua (or that profiling shows is
prohibitively expensive in Lua).

If you must write your code in C, then still don't do stuff yourself.
For example, don't allocate buffers manually; use a library. Don't use
[] notation to access arrays through a pointer; use a bounds-checked
accessor that knows the size of the content.

/s/ Adam

Follow-Ups:
- Re: Lua exposure to C vulnerabilities?, Russell Haley

References:
- Lua exposure to C vulnerabilities?, Russell Haley
- Re: Lua exposure to C vulnerabilities?, Florian Weimer
- Re: Lua exposure to C vulnerabilities?, Russell Haley
- Re: Lua exposure to C vulnerabilities?, Tim Hume
- Re: Lua exposure to C vulnerabilities?, Soni L.
- Re: Lua exposure to C vulnerabilities?, Tim Hume
- Re: Lua exposure to C vulnerabilities?, Russell Haley

Prev by Date: Re: Lua exposure to C vulnerabilities?
Next by Date: Re: Lua exposure to C vulnerabilities?
Previous by thread: Re: Lua exposure to C vulnerabilities?
Next by thread: Re: Lua exposure to C vulnerabilities?
Index(es):
- Date
- Thread