Test case 1505

Type: source code
State: bad
Author: Robert C. Seacord
Status: candidate
Language: C
Submission Date: 19 May 2006

Description

The longjmp() function. C99 defines the setjmp() macro, the longjmp() function and the jmp_buf type which can be used to bypass the normal function call and return discipline. The longjmp() function can be exploited by overwriting the value of PC (the program counter) in the jmp_buf buffer with the start of the shellcode. It can be accomplished with an arbitrary memory write or by a buffer overflow directly into the jmp_buf structure.
From "Secure Coding in C and C++" by Robert C. Seacord.
Page 90, Figure 3-14

Flaws

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Have any comments on this test case? Please, send us an email.