The C Language facilities setjmp() and longjmp() can be used as a poor attempt to simulate the throwing and catching of exceptions, but they are very low-level facilities, and using them can bypass proper resource management and the proper calling of destructors.
The C++ Standard ISO/IEC 14882-2003, section 18.7 paragraph 4. says:
The function signature longjmp(jmp_buf jbuf, int val) has more restricted behavior in this International Standard. A setjmp/longjmp call pair has undefined behavior if replacing the setjmp and longjmp by catch and throw would destroy any automatic objects.
Non-Compliant Code Example
Compliant Solution
Risk Assessment
Using setjmp() and longjmp() could lead to a denial-of-service attack.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
RES39-C |
1 (low) |
2 (probable) |
2 (medium) |
P4 |
L3 |
References
[[ISO/IEC 14882-2003]] Section 18.7
[[Henricson 97]] Rule 13.3 Do not use setjmp() and longjmp().
MSC16-CPP. Consider encrypting function pointers 49. Miscellaneous (MSC) MSC18-CPP. Finish every set of statements associated with a case label with a break statement