...
Do not call setjmp() or longjmp(); their usage can be replaced by more standard idioms such as throw expressions and catch statements.
Noncompliant Code Example
Calling longjmp() such that it would invoke a nontrivial destructor were the call replaced with a throw expression results in undefined behavior, as demonstrated in this noncompliant code example:
...
| Code Block |
|---|
Before setjmp(): Instances: 0 f(): Instances: 1 From longjmp(): Instances: 1 After longjmp(): Instances: 1 |
Compliant Solution
This compliant solution replaces the calls to setjmp() and longjmp() with a throw expression and a catch statement:
...
| Code Block |
|---|
Before throw: Instances: 0 f(): Instances: 1 From catch: Instances: 0 After catch: Instances: 0 |
Risk Assessment
Using setjmp() and longjmp() could lead to a denial-of-service attack due to resources not being properly destroyed.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ERR34-CPP | Low | Probable | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Secondary Analysis |
Related Vulnerabilities
Search for other vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
|
Bibliography
| [ISO/IEC 14882-2014] | 18.10, "Other Runtime Support" |
| [Henricson 97] | Rule 13.3, "Do not use setjmp() and longjmp()" |
...