From 90a712ae2b2471fe5b0802609ffb712a3ae38a31 Mon Sep 17 00:00:00 2001
From: batrick <batrick@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 7 Jul 2009 00:20:52 +0000
Subject: [PATCH] Patch to libraries that were inappropriately using globals.
 Often two (or more) scripts using the same library would overwrite the
 globals each was using. This would result in (at best) an error or (at worst)
 a deadlock.

The patch changes the global accesses to local.
---
 nselib/datafiles.lua        |  1 +
 nselib/dns.lua              |  4 +--
 nselib/imap.lua             |  2 +-
 nselib/ipOps.lua            |  9 +++++--
 nselib/match.lua            |  2 +-
 nselib/msrpc.lua            | 28 +++++++++-----------
 nselib/msrpcperformance.lua |  3 +--
 nselib/msrpctypes.lua       | 13 +++++-----
 nselib/netbios.lua          |  4 +--
 nselib/nsedebug.lua         | 10 +++----
 nselib/packet.lua           |  4 +--
 nselib/pop3.lua             | 22 ++++++++--------
 nselib/smb.lua              | 52 +++++++++++++++++++++++--------------
 nselib/smbauth.lua          | 13 +++++-----
 nselib/snmp.lua             |  2 ++
 nselib/ssh1.lua             |  8 +++---
 nselib/ssh2.lua             | 14 +++++-----
 nselib/tab.lua              |  2 +-
 nselib/url.lua              |  3 ++-
 19 files changed, 105 insertions(+), 91 deletions(-)

diff --git a/nselib/datafiles.lua b/nselib/datafiles.lua
index 42baccf60..4748a7cd2 100644
--- a/nselib/datafiles.lua
+++ b/nselib/datafiles.lua
@@ -183,6 +183,7 @@ function parse_lines(lines, data_struct)
       elseif type(value) == "string" or type(value) == "function" then
         ret = get_array( lines, value )
       elseif type(value) == "table" then
+        local _
         _, ret[index] = parse_lines( lines, value )
       else
         -- TEMP
diff --git a/nselib/dns.lua b/nselib/dns.lua
index ae12bcf13..a7de67e82 100644
--- a/nselib/dns.lua
+++ b/nselib/dns.lua
@@ -717,8 +717,8 @@ end
 -- @param flgStr Flags as a binary digit string.
 -- @return Table representing flags.
 local function decodeFlags(flgStr)
-   flags = {}
-   flgTbl = str2tbl(flgStr)
+   local flags = {}
+   local flgTbl = str2tbl(flgStr)
    if flgTbl[1] == '1' then flags.QR = true end
    if flgTbl[2] == '1' then flags.OC1 = true end   
    if flgTbl[3] == '1' then flags.OC2 = true end
diff --git a/nselib/imap.lua b/nselib/imap.lua
index e280cba07..038fede5c 100644
--- a/nselib/imap.lua
+++ b/nselib/imap.lua
@@ -21,7 +21,7 @@ function capabilities(host, port)
    local proto = (port.version and port.version.service_tunnel == "ssl" and "ssl") or "tcp"
    if not socket:connect(host.ip, port.number, proto) then return nil, "Could Not Connect" end
 
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
    if not string.match(line, "^[%*] OK") then return nil, "No Response" end
    
    socket:send("a001 CAPABILITY\r\n")
diff --git a/nselib/ipOps.lua b/nselib/ipOps.lua
index 3c7f5c0de..e0468be7e 100644
--- a/nselib/ipOps.lua
+++ b/nselib/ipOps.lua
@@ -31,6 +31,7 @@ module ( "ipOps" )
 -- @return True or false (or <code>nil</code> in case of an error).
 -- @return String error message in case of an error.
 isPrivate = function( ip )
+  local err
 
   ip, err = expand_ip( ip )
   if err then return nil, err end
@@ -77,7 +78,7 @@ todword = function( ip )
     return nil, "Error in ipOps.todword: Expected IPv4 address."
   end
 
-  local n, ret = {}
+  local n, ret, err = {}
   n, err = get_parts_as_number( ip )
   if err then return nil, err end
 
@@ -104,6 +105,7 @@ end
 -- <code>nil</code> in case of an error).
 -- @return String error message in case of an error.
 get_parts_as_number = function( ip )
+  local err
 
   ip, err = expand_ip( ip )
   if err then return nil, err end
@@ -250,6 +252,7 @@ end
 -- <code>nil</code> in case of an error).
 -- @return String error message in case of an error.
 expand_ip = function( ip )
+  local err
 
   if type( ip ) ~= "string" or ip == "" then
     return nil, "Error in ipOps.expand_ip: Expected IP address as a string."
@@ -427,6 +430,7 @@ end
 -- digits (or <code>nil</code> in case of an error).
 -- @return    String error message in case of an error.
 ip_to_bin = function( ip )
+  local err
 
   ip, err = expand_ip( ip )
   if err then return nil, err end
@@ -473,6 +477,7 @@ bin_to_ip = function( binstring )
     return nil, "Error in ipOps.bin_to_ip: Expected string of binary digits."
   end
 
+  local af
   if string.len( binstring ) == 32 then
     af = 4
   elseif string.len( binstring ) == 128 then
@@ -481,7 +486,7 @@ bin_to_ip = function( binstring )
     return nil, "Error in ipOps.bin_to_ip: Expected exactly 32 or 128 binary digits."
   end
 
-  t = {}
+  local t = {}
   if af == 6 then
     local pattern = string.rep( "[01]", 16 )
     for chunk in string.gmatch( binstring, pattern ) do
diff --git a/nselib/match.lua b/nselib/match.lua
index 315983cae..f28cfafee 100644
--- a/nselib/match.lua
+++ b/nselib/match.lua
@@ -29,7 +29,7 @@ regex = function(pattern)
 	local r = pcre.new(pattern, 0,"C")
 
 	return function(buf)
-		s,e = r:exec(buf, 0,0);
+		local s,e = r:exec(buf, 0,0);
 		return s,e
 	end
 end
diff --git a/nselib/msrpc.lua b/nselib/msrpc.lua
index 90e4b80d7..6810d681a 100644
--- a/nselib/msrpc.lua
+++ b/nselib/msrpc.lua
@@ -2122,6 +2122,7 @@ function winreg_queryvalue(smbstate, handle, value)
 
 	-- Format the type properly and put it in "value"
 	if(result['data'] ~= nil) then
+        local _
 		if(result['type'] == "REG_DWORD") then
 			_, result['value'] = bin.unpack("<I", result['data'])
 		elseif(result['type'] == "REG_SZ" or result['type'] == "REG_MULTI_SZ" or result['type'] == "REG_EXPAND_SZ") then
@@ -2855,35 +2856,31 @@ function samr_enum_users(host)
 		local domain = enumdomains_result['sam']['entries'][i]['name']
 		-- We don't care about the 'builtin' domain, in all my tests it's empty
 		if(domain ~= 'Builtin') then
-			local sid
-			local domain_handle
-			local opendomain_result, querydisplayinfo_result
-
 			-- Call LookupDomain()
-			status, lookupdomain_result = samr_lookupdomain(smbstate, connect_handle, domain)
+			local status, lookupdomain_result = samr_lookupdomain(smbstate, connect_handle, domain)
 			if(status == false) then
 				stop_smb(smbstate)
 				return false, lookupdomain_result
 			end
 
 			-- Save the sid
-			sid = lookupdomain_result['sid']
+			local sid = lookupdomain_result['sid']
 	
 			-- Call OpenDomain()
-			status, opendomain_result = samr_opendomain(smbstate, connect_handle, sid)
+			local status, opendomain_result = samr_opendomain(smbstate, connect_handle, sid)
 			if(status == false) then
 				stop_smb(smbstate)
 				return false, opendomain_result
 			end
 
 			-- Save the domain handle
-			domain_handle = opendomain_result['domain_handle']
+			local domain_handle = opendomain_result['domain_handle']
 
 			-- Loop as long as we're getting valid results	
 			j = 0
 			repeat
 				-- Call QueryDisplayInfo()
-				status, querydisplayinfo_result = samr_querydisplayinfo(smbstate, domain_handle, j, SAMR_GROUPSIZE)
+				local status, querydisplayinfo_result = samr_querydisplayinfo(smbstate, domain_handle, j, SAMR_GROUPSIZE)
 				if(status == false) then
 					stop_smb(smbstate)
 					return false, querydisplayinfo_result
@@ -2975,7 +2972,7 @@ function lsa_enum_users(host)
 
 	-- Start with some common names, as well as the name returned by the negotiate call
 	-- Vista doesn't like a 'null' after the server name, so fix that (TODO: the way I strip the null here feels hackish, is there a better way?)
-	names = {"administrator", "guest", "test"}
+	local names = {"administrator", "guest", "test"}
 	-- These aren't always sent back (especially with 'extended security')
 	if(smbstate['domain'] ~= nil) then
 		names[#names + 1] = smbstate['domain']
@@ -3471,14 +3468,14 @@ function get_server_stats(host)
 	end
    
 	-- Bind to SRVSVC service
-	status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
+	local status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
 	if(status == false) then
 		smb.stop(smbstate)
 		return false, bind_result
 	end
    
 	-- Call netservergetstatistics for 'server'
-	status, netservergetstatistics_result = srvsvc_netservergetstatistics(smbstate, host.ip)
+	local status, netservergetstatistics_result = srvsvc_netservergetstatistics(smbstate, host.ip)
 	if(status == false) then
 		smb.stop(smbstate)
 		return false, netservergetstatistics_result
@@ -3573,24 +3570,23 @@ end
 --@return A table of information about the share (if status is true) or an an error string (if 
 --        status is false).
 function get_share_info(host, name)
-	local status, smbstate
 	local response = {}
 
 	-- Create the SMB session
-	status, smbstate = start_smb(host, SRVSVC_PATH)
+	local status, smbstate = start_smb(host, SRVSVC_PATH)
 	if(status == false) then
 		return false, smbstate
 	end
 
 	-- Bind to SRVSVC service
-	status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
+	local status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
 	if(status == false) then
 		smb.stop(smbstate) 
 		return false, bind_result
 	end
 
 	-- Call NetShareGetInfo
-	status, netsharegetinfo_result = srvsvc_netsharegetinfo(smbstate, host.ip, name, 2)
+	local status, netsharegetinfo_result = srvsvc_netsharegetinfo(smbstate, host.ip, name, 2)
 	if(status == false) then
 		smb.stop(smbstate) 
 		return false, netsharegetinfo_result
diff --git a/nselib/msrpcperformance.lua b/nselib/msrpcperformance.lua
index 37c8b1823..c53c51eab 100644
--- a/nselib/msrpcperformance.lua
+++ b/nselib/msrpcperformance.lua
@@ -427,10 +427,9 @@ function get_performance_data(host, objects)
 
 	local status, smbstate
 	local bind_result, openhkpd_result, queryvalue_result, data_block
-	local pos
+	local pos, object_type, counter_result
 	local result = {}
 	local i, j, k
-	local pos
 
 	-- Create the SMB session
 	status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
diff --git a/nselib/msrpctypes.lua b/nselib/msrpctypes.lua
index e28379be1..c3b651ca6 100644
--- a/nselib/msrpctypes.lua
+++ b/nselib/msrpctypes.lua
@@ -455,7 +455,7 @@ local function unmarshall_array(data, pos, count, func, args)
 		args = {}
 	end
 
-	pos, max_count = bin.unpack("<I", data, pos)
+	local pos, max_count = bin.unpack("<I", data, pos)
 	if(max_count == nil) then
 		stdnse.print_debug(1, "MSRPC: ERROR: Ran off the end of a packet in unmarshall_array(). Please report!")
 	end
@@ -1165,6 +1165,7 @@ end
 --@return (pos, time) The new position, and the time in seconds since 1970. 
 function unmarshall_SYSTEMTIME(data, pos)
 	local date = {}
+    local _
 
 	pos, date['year'], date['month'], _, date['day'], date['hour'], date['min'], date['sec'], _ = bin.unpack("<SSSSSSSS", data, pos)
 	if(date['sec'] == nil) then
@@ -1227,14 +1228,13 @@ end
 --@param default The default value to return if the lookup was unsuccessful. 
 --@return (pos, policy_handle) The new position, and a table representing the policy_handle. 
 local function unmarshall_Enum32(data, pos, table, default)
-	local i, v
 	stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_Enum32()"))
 
 	if(default == nil) then
 		default = "<unknown>"
 	end
 
-	pos, val = unmarshall_int32(data, pos)
+	local pos, val = unmarshall_int32(data, pos)
 
 	for i, v in pairs(table) do
 		if(v == val) then
@@ -1257,14 +1257,13 @@ end
 --@param pad     [optional] If set, will ensure that we end up on an even multiple of 4. Default: true. 
 --@return (pos, policy_handle) The new position, and a table representing the policy_handle. 
 local function unmarshall_Enum16(data, pos, table, default, pad)
-	local i, v
 	stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_Enum16()"))
 
 	if(default == nil) then
 		default = "<unknown>"
 	end
 
-	pos, val = unmarshall_int16(data, pos, pad)
+	local pos, val = unmarshall_int16(data, pos, pad)
 
 	for i, v in pairs(table) do
 		if(v == val) then
@@ -1474,7 +1473,7 @@ function unmarshall_dom_sid2(data, pos)
 	end
 
 	-- Convert the SID to a string
-	result = string.format("S-%u-%u", sid['sid_rev_num'], sid['authority'])
+	local result = string.format("S-%u-%u", sid['sid_rev_num'], sid['authority'])
 	for i = 1, sid['num_auths'], 1 do
 		result = result .. string.format("-%u", sid['sub_auths'][i])
 	end
@@ -1528,7 +1527,7 @@ function marshall_dom_sid2(sid)
 		return nil
 	end
 
-	pos = 3
+	local pos = 3
 
 	pos_next = string.find(sid, "-", pos)
 	sid_array['sid_rev_num'] = string.sub(sid, pos, pos_next - 1)
diff --git a/nselib/netbios.lua b/nselib/netbios.lua
index bae98457b..7ff877bfb 100644
--- a/nselib/netbios.lua
+++ b/nselib/netbios.lua
@@ -289,12 +289,12 @@ function do_nbstat(host)
 
 	socket:set_timeout(1000)
 
-	status, result = socket:receive_bytes(1)
+	local status, result = socket:receive_bytes(1)
 	if(status == false) then
 		return false, result
 	end
 
-	close_status, err = socket:close()
+	local close_status, err = socket:close()
 	if(close_status == false) then
 		return false, err
 	end
diff --git a/nselib/nsedebug.lua b/nselib/nsedebug.lua
index 823a44b52..4afb39d51 100644
--- a/nselib/nsedebug.lua
+++ b/nselib/nsedebug.lua
@@ -65,7 +65,7 @@ function print_hex(str)
 
 		-- Loop through the string, printing the hex
 		for char=1, 16, 1 do
-			ch = string.byte(str, ((line - 1) * 16) + char)
+			local ch = string.byte(str, ((line - 1) * 16) + char)
 			io.write(string.format("%02x ", ch))
 		end
 
@@ -73,7 +73,7 @@ function print_hex(str)
 
 		-- Loop through the string again, this time the ascii
 		for char=1, 16, 1 do
-			ch = string.byte(str, ((line - 1) * 16) + char)
+			local ch = string.byte(str, ((line - 1) * 16) + char)
 			if ch < 0x20 or ch > 0x7f then
 				ch = string.byte(".", 1)
 			end
@@ -84,18 +84,18 @@ function print_hex(str)
 	end
 
 	-- Prints out the final, partial line
-	line = math.floor((string.len(str)/16)) + 1
+	local line = math.floor((string.len(str)/16)) + 1
 	io.write(string.format("%08x ", (line - 1) * 16))
 
 	for char=1, string.len(str) % 16, 1 do
-		ch = string.byte(str, ((line - 1) * 16) + char)
+		local ch = string.byte(str, ((line - 1) * 16) + char)
 		io.write(string.format("%02x ", ch))
 	end
 	io.write(string.rep("   ", 16 - (string.len(str) % 16)));
 	io.write("   ")
 
 	for char=1, string.len(str) % 16, 1 do
-		ch = string.byte(str, ((line - 1) * 16) + char)
+		local ch = string.byte(str, ((line - 1) * 16) + char)
 		if ch < 0x20 or ch > 0x7f then
 			ch = string.byte(".", 1)
 		end
diff --git a/nselib/packet.lua b/nselib/packet.lua
index 70928760e..f40fd0b0f 100644
--- a/nselib/packet.lua
+++ b/nselib/packet.lua
@@ -285,14 +285,14 @@ end
 --- Set the source IP address.
 -- @param binip The source IP address as a byte string.
 function Packet:ip_set_bin_src(binip)
-	nrip = u32(binip, 0)
+	local nrip = u32(binip, 0)
 	self:set_u32(self.ip_offset + 12, nrip)
 	self.ip_bin_src		= self:raw(self.ip_offset + 12,4)	-- raw 4-bytes string
 end
 --- Set the destination IP address.
 -- @param binip The destination IP address as a byte string.
 function Packet:ip_set_bin_dst(binip)
-	nrip = u32(binip, 0)
+	local nrip = u32(binip, 0)
 	self:set_u32(self.ip_offset + 16, nrip)
 	self.ip_bin_dst		= self:raw(self.ip_offset + 16,4)
 end
diff --git a/nselib/pop3.lua b/nselib/pop3.lua
index c182b12e5..566504c66 100644
--- a/nselib/pop3.lua
+++ b/nselib/pop3.lua
@@ -43,7 +43,7 @@ end
 -- @return Error code if status is false.
 function login_user(socket, user, pw)
    socket:send("USER " .. user .. "\r\n")
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
    if not stat(line) then return false, err.user_error end
    socket:send("PASS " .. pw .. "\r\n")
       
@@ -67,7 +67,7 @@ function login_sasl_plain(socket, user, pw)
    local auth64 = base64.enc(user .. "\0" .. user .. "\0" .. pw)
    socket:send("AUTH PLAIN " .. auth64 .. "\r\n")
    
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
    
    if stat(line) then 
       return true, err.none
@@ -91,14 +91,14 @@ function login_sasl_login(socket, user, pw)
 
    socket:send("AUTH LOGIN\r\n")
       
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
    if not base64.dec(string.sub(line, 3)) == "User Name:" then 
       return false, err.userError 
    end
 
    socket:send(user64)
       
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
 
    if not base64.dec(string.sub(line, 3)) == "Password:" then 
       return false, err.userError
@@ -106,7 +106,7 @@ function login_sasl_login(socket, user, pw)
 
    socket:send(pw64)
       
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
     
    if stat(line) then
       return true, err.none
@@ -129,7 +129,7 @@ function login_apop(socket, user, pw, challenge)
    local apStr = stdnse.tohex(openssl.md5(challenge .. pw))
    socket:send(("APOP %s %s\r\n"):format(user, apStr))
       
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
    
    if (stat(line)) then 
       return true, err.none
@@ -152,14 +152,14 @@ function capabilities(host, port)
    local opts = {timeout=10000, recv_before=true}
    local i = 1
 
-   socket, line, bopt, first_line = comm.tryssl(host, port, "CAPA\r\n" , opts)
+   local socket, line, bopt, first_line = comm.tryssl(host, port, "CAPA\r\n" , opts)
    if not socket then return nil, "Could Not Connect" end
    if not stat(first_line) then return nil, "No Response" end
   
    if string.find(first_line, "<[%p%w]+>") then capas.APOP = true end
    
-   lines = stdnse.strsplit("\r\n",line)
-   line = lines[1]
+   local lines = stdnse.strsplit("\r\n",line)
+   local line = lines[1]
 
    if not stat(line) then 
       capas.capa = false
@@ -199,7 +199,7 @@ function login_sasl_crammd5(socket, user, pw)
 
    socket:send("AUTH CRAM-MD5\r\n")
    
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
    
    local challenge = base64.dec(string.sub(line, 3))
 
@@ -207,7 +207,7 @@ function login_sasl_crammd5(socket, user, pw)
    local authStr = base64.enc(user .. " " .. digest)
    socket:send(authStr .. "\r\n")
       
-   status, line = socket:receive_lines(1)
+   local status, line = socket:receive_lines(1)
    
    if stat(line) then 
       return true, err.none
diff --git a/nselib/smb.lua b/nselib/smb.lua
index 4196db07d..470bb24ec 100644
--- a/nselib/smb.lua
+++ b/nselib/smb.lua
@@ -309,7 +309,7 @@ function add_account(host, username, password)
 	if(string.lower(username) ~= "guest" and string.lower(username) ~= "") then
 		-- Save the new account if this is our first one, or our other account isn't an admin
 		if(nmap.registry[host.ip]['smbaccount'] == nil or nmap.registry[host.ip]['smbaccount']['is_admin'] == false) then
-			local result
+			local result, _
 	
 			nmap.registry[host.ip]['smbaccount'] = {}
 			nmap.registry[host.ip]['smbaccount']['username'] = username
@@ -587,7 +587,7 @@ function start_netbios(host, port, name)
 	-- If all else fails, use each substring of the DNS name (this is a HUGE hack, but is actually
 	-- a recommended way of doing this!)
 	if(host.name ~= nil and host.name ~= "") then
-		new_names = get_subnames(host.name)
+		local new_names = get_subnames(host.name)
 		for i = 1, #new_names, 1 do
 			names[#names + 1] = new_names[i]
 		end
@@ -604,7 +604,7 @@ function start_netbios(host, port, name)
 		-- Some debug information
 		stdnse.print_debug(1, "SMB: Trying to start NetBIOS session with name = '%s'", name)
 		-- Request a NetBIOS session
-		session_request = bin.pack(">CCSzz", 
+		local session_request = bin.pack(">CCSzz", 
 					0x81,                        -- session request
 					0x00,                        -- flags
 					0x44,                        -- length
@@ -999,7 +999,7 @@ function negotiate_protocol(smb)
 
 	-- Send the negotiate request
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_NEGOTIATE")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(status == false) then
 		return false, err
 	end
@@ -1011,6 +1011,7 @@ function negotiate_protocol(smb)
 	end
 
 	-- Parse out the header
+    local uid, tid, header4
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 
 	-- Check if we fell off the packet (if that happened, the last parameter will be nil)
@@ -1112,9 +1113,9 @@ function negotiate_protocol(smb)
 end
 
 function start_session_basic(smb, overrides, use_default, log_errors)
-	local i
+	local i, err
 	local status, result
-	local header, parameters, data
+	local header, parameters, data, domain
 	local pos
 	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid 
 	local andx_command, andx_reserved, andx_offset, action
@@ -1234,7 +1235,7 @@ end
 
 function start_session_extended(smb, overrides, use_default, log_errors)
 	local i
-	local status, status_name, result
+	local status, status_name, result, err
 	local header, parameters, data
 	local pos
 	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid 
@@ -1416,7 +1417,7 @@ end
 --        table with the following elements:
 --      * 'tid'         The TreeID for the session
 function tree_connect(smb, path)
-	local header, parameters, data
+	local header, parameters, data, err, result
 	local pos
 	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid 
 	local andx_command, andx_reserved, andx_offset, action
@@ -1449,6 +1450,7 @@ function tree_connect(smb, path)
 	end
 
 	-- Check if we were allowed in
+    local uid, tid
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [20]"
@@ -1480,18 +1482,19 @@ function tree_disconnect(smb)
 
 	-- Send the tree disconnect request
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_TREE_DISCONNECT")
-	result, err = smb_send(smb, header, "", "")
+	local result, err = smb_send(smb, header, "", "")
 	if(result == false) then
 		return false, err
 	end
 
 	-- Read the result
-	status, header, parameters, data = smb_read(smb)
+	local status, header, parameters, data = smb_read(smb)
 	if(status ~= true) then
 		return false, header
 	end
 
 	-- Check if there was an error
+    local uid, tid, pos
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [21]"
@@ -1512,7 +1515,7 @@ end
 --@return (status, result) If statis is false, result is an error message. If status is true, 
 --              the logoff was successful. 
 function logoff(smb)
-	local header, parameters
+	local header, parameters, data
 	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid 
 
 	header = smb_encode_header(smb, command_codes['SMB_COM_LOGOFF_ANDX'])
@@ -1526,7 +1529,7 @@ function logoff(smb)
 
 	-- Send the tree disconnect request
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_LOGOFF_ANDX")
-	result, err = smb_send(smb, header, parameters, "")
+	local result, err = smb_send(smb, header, parameters, "")
 	if(result == false) then
 		return false, err
 	end
@@ -1543,6 +1546,7 @@ function logoff(smb)
 	smb['mac_key']  = nil
 
 	-- Check if there was an error
+    local uid, tid, pos
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [22]"
@@ -1598,7 +1602,7 @@ function create_file(smb, path)
 
 	-- Send the create file
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_NT_CREATE_ANDX")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(result == false) then
 		return false, err
 	end
@@ -1610,6 +1614,7 @@ function create_file(smb, path)
 	end
 
 	-- Check if we were allowed in
+    local uid, tid
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [23]"
@@ -1675,7 +1680,7 @@ function read_file(smb, offset, count)
 
 	-- Send the create file
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_READ_ANDX")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(result == false) then
 		return false, err
 	end
@@ -1687,6 +1692,7 @@ function read_file(smb, offset, count)
 	end
 
 	-- Check if we were allowed in
+    local uid, tid
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	
 	if(mid == nil) then
@@ -1760,7 +1766,7 @@ function write_file(smb, write_data, offset)
 
 	-- Send the create file
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_WRITE_ANDX")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(result == false) then
 		return false, err
 	end
@@ -1772,6 +1778,7 @@ function write_file(smb, write_data, offset)
 		return false, header
 	end
 
+    local uid, tid
 	-- Check if we were allowed in
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
@@ -1782,6 +1789,7 @@ function write_file(smb, write_data, offset)
 	end
 
 	-- Parse the parameters
+    local reserved, count_high, remaining, count_low
 	pos, andx_command, andx_reserved, andx_offset, count_low, remaining, count_high, reserved  = bin.unpack("<CCSSSSS", parameters)
 	if(reserved == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [28]"
@@ -1816,7 +1824,7 @@ function close_file(smb)
 
 	-- Send the close file
 	stdnse.print_debug(2, "SMB: Sending SMB_CLOSE")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(result == false) then
 		return false, err
 	end
@@ -1828,6 +1836,7 @@ function close_file(smb)
 	end
 
 	-- Check if the close was successful
+    local uid, tid
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [27]"
@@ -1862,7 +1871,7 @@ function delete_file(smb, path)
 
 	-- Send the close file
 	stdnse.print_debug(2, "SMB: Sending SMB_CLOSE")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(result == false) then
 		return false, err
 	end
@@ -1874,6 +1883,7 @@ function delete_file(smb, path)
 	end
 
 	-- Check if the close was successful
+    local uid, tid
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [27]"
@@ -1946,7 +1956,7 @@ function send_transaction_named_pipe(smb, function_parameters, function_data, pi
 
 	-- Send the transaction request
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_TRANSACTION")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(result == false) then
 		return false, err
 	end
@@ -1958,6 +1968,7 @@ function send_transaction_named_pipe(smb, function_parameters, function_data, pi
 	end
 
 	-- Check if it worked
+    local uid, tid, pos
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [29]"
@@ -2031,7 +2042,7 @@ function send_transaction_waitnamedpipe(smb, priority, pipe)
 
 	-- Send the transaction request
 	stdnse.print_debug(2, "SMB: Sending SMB_COM_TRANSACTION (WaitNamedPipe)")
-	result, err = smb_send(smb, header, parameters, data)
+	local result, err = smb_send(smb, header, parameters, data)
 	if(result == false) then
 		return false, err
 	end
@@ -2043,6 +2054,7 @@ function send_transaction_waitnamedpipe(smb, priority, pipe)
 	end
 
 	-- Check if it worked
+    local uid, tid, pos
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [31]"
@@ -2073,7 +2085,7 @@ end
 --@param share      The share to upload it to (eg, C$). 
 --@param remotefile The remote file on the machine. It is relative to the share's root. 
 function file_upload(host, localfile, share, remotefile)
-	local status, smbstate
+	local status, err, smbstate
 	local chunk = 1024
 
 	local filename = nmap.fetchfile(localfile)
diff --git a/nselib/smbauth.lua b/nselib/smbauth.lua
index 939d89549..c0cd53ae7 100644
--- a/nselib/smbauth.lua
+++ b/nselib/smbauth.lua
@@ -92,6 +92,8 @@ local NTLMSSP_NEGOTIATE = 0x00000001
 local NTLMSSP_CHALLENGE = 0x00000002
 local NTLMSSP_AUTH      = 0x00000003
 
+local session_key = string.rep(string.char(0x00), 16)
+
 local function to_unicode(str)
 	local unicode = ""
 
@@ -302,9 +304,8 @@ function ntlmv2_create_response(ntlm, username, domain, challenge, client_challe
 	end
 
 	local client_challenge = openssl.rand_bytes(client_challenge_length)
-	local ntlmv2_hash
 
-	status, ntlmv2_hash = ntlmv2_create_hash(ntlm, username, domain)
+	local status, ntlmv2_hash = ntlmv2_create_hash(ntlm, username, domain)
 
 	return true, openssl.hmac("MD5", ntlmv2_hash, challenge .. client_challenge) .. client_challenge
 end
@@ -404,9 +405,11 @@ end
 --                 and the mac_key, which is used for message signing. 
 local function get_password_response(ip, username, domain, password, password_hash, challenge, hash_type, is_extended)
 
+    local status
 	local lm_hash   = nil
 	local ntlm_hash = nil
 	local mac_key   = nil
+    local lm_response, ntlm_response
 
 	-- Check if there's a password or hash set. This is a little tricky, because in all places (except the one passed
 	-- as a parameter), it's based on whether or not the username was stored. This lets us use blank passwords by not
@@ -570,7 +573,7 @@ function get_accounts(ip, overrides, use_defaults)
 
 	-- Do the "anonymous" account
 	if(use_defaults) then
-		result = {}
+		local result = {}
 		result['username'] = ""
 		result['domain']   = ""
 		results[#results + 1] = result
@@ -598,10 +601,6 @@ function get_security_blob(security_blob, ip, username, domain, hash_type, overr
 	local new_blob
 	local flags = 0x00008211 -- (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | NEGOTIATE_UNICODE)
 
-	if(session_key == nil) then
-		session_key = string.rep(string.char(0x00), 16)
-	end
-
 	if(security_blob == nil) then
 		-- If security_blob is nil, this is the initial packet
 		new_blob = bin.pack("<zIILL", 
diff --git a/nselib/snmp.lua b/nselib/snmp.lua
index 672232781..31001e626 100644
--- a/nselib/snmp.lua
+++ b/nselib/snmp.lua
@@ -176,6 +176,7 @@ local function decodeSeq(encStr, len, pos)
    local sStr
    pos, sStr = bin.unpack("A" .. len, encStr, pos)
    while (sPos < len) do
+      local newSeq
       sPos, newSeq = decode(sStr, sPos)
       table.insert(seq, newSeq)
       i = i + 1
@@ -206,6 +207,7 @@ function decode(encStr, pos)
    elseif (etype == "06") then -- OID
       local oid = {}
       oid._snmp = '06'
+      local octet
       pos, octet = bin.unpack("C", encStr, pos)
       oid[2] = math.mod(octet, 40)
       octet = octet - oid[2]
diff --git a/nselib/ssh1.lua b/nselib/ssh1.lua
index d44fb44ff..439a227c5 100644
--- a/nselib/ssh1.lua
+++ b/nselib/ssh1.lua
@@ -26,7 +26,7 @@ require "openssl"
 check_packet_length = function( buffer )
   local payload_length, packet_length, offset
   offset, payload_length = bin.unpack( ">I", buffer )
-  padding = 8 - payload_length % 8
+  local padding = 8 - payload_length % 8
   assert(payload_length)
   packet_length = buffer:len()
   if payload_length + 4 + padding > packet_length then return nil end
@@ -42,7 +42,7 @@ end
 --  @return status True or false
 --  @return packet The packet received
 receive_ssh_packet = function( socket )
-  status, packet = socket:receive_buf(check_packet_length)
+  local status, packet = socket:receive_buf(check_packet_length)
   return status, packet
 end
 
@@ -55,7 +55,7 @@ end
 -- <code>fingerprint</code>.
 fetch_host_key = function(host, port)
   local socket = nmap.new_socket()
-  local status
+  local status, _
 
   status = socket:connect(host.ip, port.number)
   if not status then return end
@@ -169,7 +169,7 @@ fingerprint_visual = function( fingerprint, algorithm, bits )
   end
 
   -- we start in the center and mark it
-  x, y = math.ceil(fieldsize_x/2), math.ceil(fieldsize_y/2)
+  local x, y = math.ceil(fieldsize_x/2), math.ceil(fieldsize_y/2)
   field[x][y] = #characters - 1;
 
   -- iterate over fingerprint 
diff --git a/nselib/ssh2.lua b/nselib/ssh2.lua
index 3dc6b138f..d8dc1aa55 100644
--- a/nselib/ssh2.lua
+++ b/nselib/ssh2.lua
@@ -43,7 +43,7 @@ end
 --  @return status True or false
 --  @return packet The packet received
 transport.receive_packet = function( socket )
-  status, packet = socket:receive_buf(check_packet_length)
+  local status, packet = socket:receive_buf(check_packet_length)
   return status, packet
 end
 
@@ -95,12 +95,12 @@ end
 --- Build a <code>kex_init</code> packet.
 transport.kex_init = function( cookie, options )
   options = options or {}
-  kex_algorithms = "diffie-hellman-group1-sha1"
-  host_key_algorithms = options['host_key_algorithms'] or "ssh-dss,ssh-rsa"
-  encryption_algorithms = "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr"
-  mac_algorithms = "hmac-md5,hmac-sha1,hmac-ripemd160"
-  compression_algorithms = "none"
-  languages = ""
+  local kex_algorithms = "diffie-hellman-group1-sha1"
+  local host_key_algorithms = options['host_key_algorithms'] or "ssh-dss,ssh-rsa"
+  local encryption_algorithms = "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr"
+  local mac_algorithms = "hmac-md5,hmac-sha1,hmac-ripemd160"
+  local compression_algorithms = "none"
+  local languages = ""
 
   local payload = bin.pack( ">cAaa", SSH2.SSH_MSG_KEXINIT, cookie, kex_algorithms, host_key_algorithms )
   payload = payload .. bin.pack( ">aa", encryption_algorithms, encryption_algorithms )
diff --git a/nselib/tab.lua b/nselib/tab.lua
index d65f826c1..d095dcbbd 100644
--- a/nselib/tab.lua
+++ b/nselib/tab.lua
@@ -113,7 +113,7 @@ function dump(t)
 	for i=1,t['rows'] do
 		for x=1, t['cols'] do
 			if t[i][x] ~= nil then
-				length = string.len(t[i][x])
+				local length = string.len(t[i][x])
 				table = table .. t[i][x]
 				table = table .. string.rep(' ', col_len[x]-length)
 			end
diff --git a/nselib/url.lua b/nselib/url.lua
index 4ac060c81..2dba368b3 100644
--- a/nselib/url.lua
+++ b/nselib/url.lua
@@ -213,6 +213,7 @@ end
 -- @return The corresponding absolute URL.
 -----------------------------------------------------------------------------
 function absolute(base_url, relative_url)
+    local base_parsed;
     if type(base_url) == "table" then
         base_parsed = base_url
         base_url = build(base_parsed)
@@ -313,7 +314,7 @@ function parse_query(query)
 	query = string.gsub(query, "&lt;", "<")
 	query = string.gsub(query, "&gt;", ">")
 
-	function ginsert(qstr)
+	local function ginsert(qstr)
 		local first, last = string.find(qstr, "=")
 		if first then
 			parsed[string.sub(qstr, 0, first-1)] = string.sub(qstr, first+1)