SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Robert McElrath

Saved on

compared with

New Version 4

changes.mady.by.user Robert McElrath

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
{{setjmp()}} should only be invoked from one of the contexts listed in §7.13.1.1 of \[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\]. Invoking {{setjmp()}} outside of one of these contexts results in undefined behavior (see [Undefined Behavior 119|CC. Undefined Behavior#ub_119]).

After invoking longjmp(), non-volatile-qualified local objects should not be accessed if their values could have changed since the invocation of setjmp(). Their value in this case is considered indeterminate and accessing them is undefined behavior (see Undefined Behavior 121, 10).

longjmp() should never be used to return control to a function that has terminated execution (see Undefined Behavior 120).

...

The following noncompliant code example calls setjmp() in an assignment statement, resulting in undefined behavior.

...

Placing the call to setjmp() in the if statement and (optionally) comparing it with a constant integer removes the undefined behavior.

...

Noncompliant Code Example

Any attempt to longjmp() to a function that has terminated execution results in possibly exploitable undefined behavior.

Code Block
bgColor#FFCCCC
jmp_buf buf;

void f() {
  g();
  h();
  return;
}

void g() {
  if (setjmp(buf) != 0) {
    /* longjmp was invoked*/
  }
  return;
}

void h() {
  /* ... */
  longjmp(buf, 1);
}

Compliant Solution

longjmp() should only be used when the function containing the corresponding setjmp() is guaranteed not to have terminated execution, as in the following example.

...

Non-volatile-qualified objects local to the function that invoked the corresponding setjmp() have indeterminate values after longjmp() has been executed if their value has been changed since the invocation of setjmp().

Code Block
bgColor#FFCCCC
jmp_buf buf;

void f() {
  int i = 0;
  if (setjmp(buf) != 0) {
    printf("%i\n", i);
    /* ... */
  }
  i = 2;
  g();
}

void g() {
  /* ... */
  longjmp(buf, 1);
}

...

If an object local to the function that invoked setjmp() needs to be accessed after longjmp() returns control to the function, the object should be volatile-qualified.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC22-C

low

probably

low medium

P6 P4

L2 L3

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\] Section 7.13, "Nonlocal jumps <setjmp.h>"
\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\], Section J.2, "Portability issues"