[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: large allocation with 'io.read' function
- From: Lorenzo Donati <lorenzodonatibz@...>
- Date: Fri, 3 Mar 2017 13:19:28 +0100
On 03/03/2017 12:53, op7ic \x00 wrote:
In the usual Lua philosophy, the language provides mechanisms not
policies. Therefore Lua team avoids putting arbitrary limits where there
is no clear reasonable choice.
fair enough. In that case its "unintended side-effect" ;) I`m not
entirely sure what would be the best solution as in current state
running code above would just DoS the system ..
On Fri, Mar 3, 2017 at 11:17 AM, Dirk Laurie <email@example.com> wrote:
2017-03-03 13:03 GMT+02:00 op7ic \x00 <firstname.lastname@example.org>:
version: lua 5.3.4
I`m not this is really a bug
Yes, we have been told to use the word sparingly. Maybe call it
an "unintended side-effect".
What could that limit be? For a MCU, for example, 16 bytes could also be
a reasonable limit. On a huge server machine 1GiB could be reasonable.
I agree that 59GB sounds fairly unreasonable, for today's standards, but
the point is, there is no hard and fast value good for every situations.
Anyway the solution is easy, just enclose the io.read function in a
wrapper function that does size checking against a limit reasonable for
You might also want to wrap that function globally, so that any usage of
the standard io.read would be checked. This could be useful to enforce
policies across all parts of a bigger app.
Of course these measures are good to prevent programming mistakes, not
as a robust security measure against DoS attacks. In this latter case
you'd need to design the whole system against those threats (not easy
stuff and probably impossible on Lua side alone without setting up
properly the OS environment as well).