lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

>lua.c collectargs seems to assume that argv has at least one 
>element (the binary's name, by convention). As people have 
>recently (re)discovered, some OSes (e.g. Linux) don't guarantee that

Good point!

The sneaky part of this problem (on Linux at least) is that if you do this, as lua.c does...

for (i = 1; argv[i] != NULL; i++) {

...but arg[0] == NULL, then argv[1] will actually be envp[0] and so on for the rest of the environment, because Linux sets up the argv[] and envp[] arrays contiguously in memory.

So, even if there are 0 args, this loop will nevertheless run and will consume envp[] instead of argv[].

Apparently, OpenBSD is immune to bugs of this sort because Theo et al. treat argv[0] == 0 as A Bad Thing and the execxx() functions fail right away. So bailing entirely at the very start if argv[0] == 0 might be a good fix!

Where lua.c uses argv[0] it does indeed correctly verify that is not NULL, but the code above will definitely "do the wrong thing" when argv[0]==0, even if it can't obviously be exploited.