...
This recommendation is related to guidelines rules SIG32-C. Do not call longjmp() from inside a signal handler and ENV32-C. All atexit handlers must return normally.
...
Because g() has finished executing at the time longjmp() is called, it is no longer on the stack. When do_stuff() is invoked, its stackframe occupies the same memory as the old stackframe of g(). In this case, a was located in the same location as the return address of function g(). The call to memcpy() overwrites the return address, so, when longjmp() sends control back to function g(), the function returns to the wrong address (in this case, to function bad()).
If the array b were user-specified, the user would be able to set the return address of function g() to any location.
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC22-C | low | probably | medium | P4 | L3 |
Bibliography
Related Guidelines
Wiki Markup
Bibliography
...
MSC21-C. Use inequality to terminate a for loop 49. Miscellaneous (MSC)