SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 95

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 96

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The result of the / operator is the quotient from the division of the first arithmetic operand by the second arithmetic operand. Division operations are susceptible to divide-by-zero errors. Overflow can also occur during two's complement signed integer division when the dividend is equal to the minimum (most negative) value for the signed integer type and the divisor is equal to −1. (See see INT32-C. Ensure that operations on signed integers do not result in overflow).)

Noncompliant Code Example

This noncompliant code example prevents signed integer overflow in compliance with INT32-C. Ensure that operations on signed integers do not result in overflow but fails to prevent a divide-by-zero error during the division of the signed operands s_a and s_b:

Code Block
bgColor#FFcccc
langc
#include <limits.h>
 
void func(signed long s_a, signed long s_b) {
  signed long result;
  if ((s_a == LONG_MIN) && (s_b == -1)) {
    /* Handle error */
  } else {
    result = s_a / s_b;
  }
  /* ... */
}

...

This compliant solution tests the suspect division operation to guarantee there is no possibility of divide-by-zero errors or signed overflow:

...

This noncompliant code example prevents signed integer overflow in compliance with INT32-C. Ensure that operations on signed integers do not result in overflow but fails to prevent a divide-by-zero error during the modulo remainder operation on the signed operands s_a and s_b.:

Code Block
bgColor#FFcccc
langc
#include <limits.h>
 
void func(signed long s_a, signed long s_b) {
  signed long result;
  if ((s_a == LONG_MIN) && (s_b == -1)) {
    /* Handle error */
  } else {
    result = s_a % s_b;
  }
  /* ... */
}

...

Code Block
bgColor#ccccff
langc
#include <limits.h>
 
void func(signed long s_a, signed long s_b) {
  signed long result;
  if ((s_b == 0 ) || ((s_a == LONG_MIN) && (s_b == -1))) {
    /* Handle error */
  } else {
    result = s_a % s_b;
  }
  /* ... */
}

Risk Assessment

A divide-by-zero error can result in abnormal program termination and denial of service.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT33-C

Low

Likely

Medium

P6

L2

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C Secure Coding StandardINT32-C. Ensure that operations on signed integers do not result in overflow 
CERT C++ Secure Coding StandardINT33-CPP. Ensure that division and modulo operations do not result in divide-by-zero errors
CERT Oracle Secure Coding Standard for JavaNUM02-J. Ensure that division and modulo operations do not result in divide-by-zero errors
ISO/IEC TS 17961Integer division errors [diverr]
MITRE CWECWE-369, Divide by zero

Bibliography

...

By Zero

Bibliography

...

[Seacord 20132013b]Chapter 5, "Integer Security"
[Warren 2002]Chapter 2, "Basics"

...