lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Thank you that's really what I needed to know. I am writing everything in Lua so far but there are libraries I am using that rely on C such as luaxml and luasys (possibly to be replaced with cqueues). ‎It made me curious as to the protection afforded me by the abstraction of calling C from Lua. 


Sent from my BlackBerry 10 smartphone on the Virgin Mobile network.
  Original Message  
From: Coda Highland
Sent: Sunday, September 18, 2016 5:44 PM
To: Lua mailing list
Reply To: Lua mailing list
Subject: Re: Lua exposure to C vulnerabilities?

On Sun, Sep 18, 2016 at 5:36 PM, Russell Haley <> wrote:
> I agree that fixing instability in one's code is best. However, the library is hypothetical. (note, I only have a rudimentary understanding of these issues.) If my 'library' failed to do proper bounds checking and had the potential for buffer overruns (for example) when exposed to a network, would calling said library from Lua protect me?
> Russ

No, it would not protect you that way.

Best practices when it comes to writing secure code amounts to "don't
do it yourself."

If you want Lua to protect you, then don't write your library in C --
write as much of it as possible in Lua, and only call out to C for the
parts that you can't do in Lua (or that profiling shows is
prohibitively expensive in Lua).

If you must write your code in C, then still don't do stuff yourself.
For example, don't allocate buffers manually; use a library. Don't use
[] notation to access arrays through a pointer; use a bounds-checked
accessor that knows the size of the content.

/s/ Adam