# CWE-476: NULL Pointer Dereference in Lua's `checkcontrol` Function

50 views
Skip to first unread message

checkmate

unread,
Jan 20, 2026, 12:15:57 PM (20 hours ago) Jan 20
to lua-l

### Description

The checkcontrol function in the Lua auxiliary library (lauxlib.c) has a vulnerability that allows a NULL pointer dereference (CWE-476). The function takes a parameter message of type const char* and does not validate that this pointer is non-NULL before dereferencing it.

### Vulnerability Details

  1. *Location*: In the checkcontrol function at line 702, the code dereferences message with *(message++) without a NULL check. If message is NULL, this operation results in a NULL pointer dereference.

  2. *Data Flow*: The parameter message flows into checkcontrol from the functions warnfon and warnfoff. In both of these functions, the caller can potentially pass a NULL pointer.

  3. *Code Impact*: A NULL pointer dereference can cause a program crash, leading to undefined behavior.

  4. *Lack of Sanitization*: No checks are performed to ensure message is valid, leaving it vulnerable if called with a NULL value.

### Relevant Code Snippet

```c

// Method: checkcontrol#701#711#lauxlib.c

701: int checkcontrol (lua_State *L, const char *message, int tocont) {

702: if (tocont || *(message++) != '@')

703: return 0;

704: else {

705: if (strcmp(message, "off") == 0)

706: lua_setwarnf(L, warnfoff, L);

707: else if (strcmp(message, "on") == 0)

708: lua_setwarnf(L, warnfon, L);

709: return 1;

710: }

711: }

```

### Affected Functions

- warnfon:

```c

void warnfon (void *ud, const char *message, int tocont) {

if (checkcontrol((lua_State *)ud, message, tocont))

return;

lua_writestringerror("%s", "Lua warning: ");

warnfcont(ud, message, tocont);

}

```

- warnfoff:

```c

void warnfoff (void *ud, const char *message, int tocont) {

checkcontrol((lua_State *)ud, message, tocont);

}

```

### Version

The vulnerability is associated with version 0b73ed8f083c99b5ff88e0822532db7ad8785881.

Sainan

unread,
Jan 20, 2026, 12:30:31 PM (20 hours ago) Jan 20
to lu...@googlegroups.com
Hooray to AI-generated spam.

-- Sainan

Martin Eden

unread,
Jan 20, 2026, 6:42:32 PM (14 hours ago) Jan 20
to lu...@googlegroups.com
On 2026-01-20 19:30, 'Sainan' via lua-l wrote:
> Hooray to AI-generated spam.
>
> -- Sainan
>
At first I was terrified. How can we survive? But my daddy told me that
C itself allows "NULL Pointer Dereference". I'm in catatonic stupor
right now.

From the positive side I think it would make a great name for
programmers pub somewhere in California: NULL POINTER DEREFERENCE.

(Sorry for off-topic guys but I can't resist be human sometimes.)

-- Martin


Reply all
Reply to author
Forward
0 new messages