Re: Lua exposure to C vulnerabilities?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Lua exposure to C vulnerabilities?
From: Florian Weimer <fw@...>
Date: Wed, 21 Sep 2016 19:17:38 +0200

* Russell Haley:

> Thanks Florian. So does interfacing a C library (written poorly by
> me!) with Lua ‎protect me from potential vulnerabilities in that
> library?

It depends what you are doing.  Lua itself tries to prevent crashing
the program by misusing libc functions (no malloc and free, for
example).  Your Lua wrapper could do something similar.

It will not magically fix vulnerabilities that are unrelated to misuse
of library interfaces, though.

For example, if a DNS processing library has name resolution context
allocation and deallocation functions, the Lua interface could make
sure that you cannot call them in the wrong order, and thus avoid
issues related to that (use-after-free problems, for example).  But if
the DNS library crashes while processing certain DNS responses, the
Lua wrapper will not affect that at all.

References:
- Lua exposure to C vulnerabilities?, Russell Haley
- Re: Lua exposure to C vulnerabilities?, Florian Weimer
- Re: Lua exposure to C vulnerabilities?, Russell Haley

Prev by Date: Re: Lua Workshop 2016
Next by Date: [ANN] ljc, a Lua to native executable compiler
Previous by thread: Re: Lua exposure to C vulnerabilities?
Next by thread: AW: Lua exposure to C vulnerabilities?
Index(es):
- Date
- Thread