lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sun, Sep 18, 2016 at 5:36 PM, Russell Haley <russ.haley@gmail.com> wrote:
> I agree that fixing instability in one's code is best. However, the library is hypothetical. (note, I only have a rudimentary understanding of these issues.) If my 'library' failed to do proper bounds checking and had the potential for buffer overruns (for example) when exposed to a network, would calling said library from Lua protect me?
>
> Russ

No, it would not protect you that way.

Best practices when it comes to writing secure code amounts to "don't
do it yourself."

If you want Lua to protect you, then don't write your library in C --
write as much of it as possible in Lua, and only call out to C for the
parts that you can't do in Lua (or that profiling shows is
prohibitively expensive in Lua).

If you must write your code in C, then still don't do stuff yourself.
For example, don't allocate buffers manually; use a library. Don't use
[] notation to access arrays through a pointer; use a bounds-checked
accessor that knows the size of the content.

/s/ Adam