SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 88

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 89

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The result of the / operator is the quotient from the division of the first arithmetic operand by the second arithmetic operand. Division operations are susceptible to divide-by-zero errors. Overflow can also occur during two's complement signed integer division when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1. (See INT32-C. Ensure that operations on signed integers do not result in overflow.)

Noncompliant Code Example

This noncompliant code example can result in a divide-by-zero error during the division of the signed operands s_a and s_b. It can also result in a signed integer overflow error on twos-complement platforms. The x86-32 architecture, for example, requires that both conditions result in a fault, which can easily result in a denial-of-service attack.

Code Block
bgColor#FFcccc
langc
void func(signed long s_a, signed long s_b) {
  if ((s_a == LONG_MIN) && (s_b == -1)) {
    /* Handle error */
  } else {
    signed long result = s_a / s_b;
  }
  /* ... */
}

Compliant Solution

This compliant solution tests the suspect division operation to guarantee there is no possibility of divide-by-zero errors or signed overflow:

Code Block
bgColor#ccccff
langc
#include <limits.h>
 
void func(signed long s_a, signed long s_b) {
  signed long result;
  if ((s_b == 0) || ((s_a == LONG_MIN) && (s_b == -1))) {
    /* Handle error */
  } else {
    result = s_a / s_b;
  }

  /* ... */
}

...

Remainder

The modulo remainder operator provides the remainder when two operands of integer type are divided. 

Noncompliant Code Example

This noncompliant code example can result in a divide-by-zero error during the modulo operation on the signed operands s_a and s_b. Furthermore, many hardware platforms implement modulo as part of the division operator, which can overflow. Overflow can occur during a modulo operation when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1. This occurs even though the result of such a modulo operation is mathematically 0.

Code Block
bgColor#FFcccc
langc
void func(signed long s_a, signed long s_b) {
  if ((s_a == LONG_MIN) && (s_b == -1)) {
    /* Handle error */
  } else {
    signed long result = s_a % s_b;
  }
   /* ... */
}

Implementation Details

On x86 platforms, the modulo operator for signed integers is implemented by the idiv instruction code, along with the divide operator. Because LONG_MIN / -1 overflows, this code will throw a floating-point exception on LONG_MIN % -1.

On Microsoft Visual Studio 2013, taking the modulo of LONG_MIN by −1 results in abnormal termination on x86 and x64. On GCC/Linux, taking the modulo of LONG_MIN by −1 produces a floating-point exception. However, on GCC 4.2.4 and newer, with optimization enabled, taking the modulo of LONG_MIN by −1 yields the value 0.

...

Compliant Solution
This compliant solution tests the modulo remainder operand to guarantee there is no possibility of a divide-by-zero error or an (internal) overflow error:
 Code Block
bgColor#ccccff
langc
#include <limits.h>
 
void func(signed long s_a, signed long s_b) {
  signed long result;
  if ((s_b == 0 ) || ((s_a == LONG_MIN) && (s_b == -1))) {
    /* Handle error */
  } else {
    result = s_a % s_b;
  }
  
  /* ... */
}
Compliant Solution (Absolute Value)
This compliant solution is based on the fact that both the The division and modulo remainder operators truncate toward 0, as specified in subclause 6.5.5, footnote 105, of the C Standard [ISO/IEC 9899:2011], which guarantees that
...
However, the minimum signed value modulo remainder −1 results in undefined behavior because the minimum signed value divided by -1 is not representable.
 Code Block
bgColor#ccccff
langc
#include <limits.h>
 
void func(signed long s_a, signed long s_b) {
  signed long result;
  if (s_b == 0 || (s_a == LONG_MIN && s_b == -1)) {
    /* Handle error */
  } else {
    if ((s_b < 0) && (s_b != LONG_MIN)) {
      s_b = -s_b;
    }
    result = s_a % s_b;
  }

  /* ... */
}
Risk Assessment
A divide by zero can result in abnormal program termination and denial of service.
Rule
Severity
Likelihood
Remediation Cost
Priority
Level
INT33-C
Low
Likely
Medium
P6
L2
Automated Detection
Tool
Version
Checker
Description
Compass/ROSE
  
Can detect some violations of this rule. In particular, it ensures that all operations involving division or modulo are preceded by a check ensuring that the second operand is nonzero
Coverity6.5DIVIDE_BY_ZEROFully implemented
Fortify SCA5.0 
Can detect violations of this rule with CERT C Rule Pack
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
43 D
248 S
Partially implemented
PRQA QA-C
 Include Page
PRQA_V
PRQA_V
2830 (C)
2831 (D)
2832 (A)
2833 (S)
2834 (P)
Fully implemented
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C Secure Coding StandardINT32-C. Ensure that operations on signed integers do not result in overflow 
CERT C++ Secure Coding StandardINT33-CPP. Ensure that division and modulo operations do not result in divide-by-zero errors
CERT Oracle Secure Coding Standard for JavaNUM02-J. Ensure that division and modulo operations do not result in divide-by-zero errors
ISO/IEC TS 17961Integer division errors [diverr]
MITRE CWECWE-369, Divide by zero
Bibliography
[ISO/IEC 9899:2011]Subclause 6.5.5, "Multiplicative operators" 
[Seacord 2013]Chapter 5, "Integer Security"
[Warren 2002]Chapter 2, "Basics"
...