Re: [ANN] Lua 5.4.1 (rc1) now available

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: [ANN] Lua 5.4.1 (rc1) now available
From: Gé Weijers <ge@...>
Date: Wed, 7 Oct 2020 17:38:37 -0700

On Wed, Oct 7, 2020 at 2:00 PM Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
>
>
> So, I don't see any bug here. (Of course, it would be better if we could
> improve the perforance of tables.)

One problem is that this can create an opportunity for DOS attacks if
the numbers are under the control of an attacker.

Strings have a similar problem if the 'step' parameter of luaS_hash is
> 1, you can create enormous amounts of strings that all hash to the
same value. This works for strings of length 41 and up in Lua 5.4.
Inserting a million maliciously crafted strings into the key position
of a table takes close to two hours on my laptop.

The question is whether this kind of "pathological" behavior should be
considered a bug or not.


-- 
Gé

Follow-Ups:
- Re: [ANN] Lua 5.4.1 (rc1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.4.1 (rc1) now available, Roberto Ierusalimschy

References:
- Re: [ANN] Lua 5.4.1 (rc1) now available, Luiz Henrique de Figueiredo
- Re: [ANN] Lua 5.4.1 (rc1) now available, Egor Skriptunoff
- Re: [ANN] Lua 5.4.1 (rc1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.4.1 (rc1) now available, Egor Skriptunoff
- Re: [ANN] Lua 5.4.1 (rc1) now available, Roberto Ierusalimschy

Prev by Date: Re: [ANN] Lua 5.4.1 (rc1) now available
Next by Date: tkLua 5.2
Previous by thread: Re: [ANN] Lua 5.4.1 (rc1) now available
Next by thread: Re: [ANN] Lua 5.4.1 (rc1) now available
Index(es):
- Date
- Thread