Main Content

CERT C: Rule INT33-C

Ensure that division and remainder operations do not result in divide-by-zero errors

Description

Rule Definition

Ensure that division and remainder operations do not result in divide-by-zero errors.1

Polyspace Implementation

The rule checker checks for these issues:

  • Integer division by zero.

  • Tainted division operand.

  • Tainted modulo operand.

Extend Checker

Extend this checker to run a stricter analysis:

Examples

expand all

Issue

Integer division by zero occurs when the denominator of a division or modulo operation can be a zero-valued integer.

Risk

A division by zero can result in a program crash.

Fix

The fix depends on the root cause of the defect. Often the result details show a sequence of events that led to the defect. Use this event list to determine how the denominator variable acquires a zero value. You can implement the fix on any event in the sequence. If the result details do not show the event history, you can trace back using right-click options in the source code and see previous related events. See also Interpret Bug Finder Results in Polyspace Desktop User Interface.

It is a good practice to check for zero values of a denominator before division and handle the error. Instead of performing the division directly:

res = num/den;
use a library function that handles zero values of the denominator before performing the division:
res = div(num, den);

See examples of fixes below.

If you do not want to fix the issue, add comments to your result or code to avoid another review. See:

Example - Dividing an Integer by Zero
int fraction(int num)
{
    int denom = 0;
    int result = 0;

    result = num/denom; //Noncompliant

    return result;
}

A division by zero error occurs at num/denom because denom is zero.

Correction — Check Before Division
int fraction(int num)
{
    int denom = 0;
    int result = 0;

    if (denom != 0)
        result = num/denom;

    return result;
}

Before dividing, add a test to see if the denominator is zero, checking before division occurs. If denom is always zero, this correction can produce a dead code defect in your Polyspace® results.

Correction — Change Denominator

One possible correction is to change the denominator value so that denom is not zero.

int fraction(int num)
{
    int denom = 2;
    int result = 0;

    result = num/denom;

    return result;
}
Example - Modulo Operation with Zero
int mod_arr(int input)
{
    int arr[5];
    for(int i = 0; i < 5; i++)
    {
        arr[i] = input % i; //Noncompliant
    }

    return arr[0]+arr[1]+arr[2]+arr[3]+arr[4];
}

In this example, Polyspace flags the modulo operation as a division by zero. Because modulo is inherently a division operation, the divisor (right hand argument) cannot be zero. The modulo operation uses the for loop index as the divisor. However, the for loop starts at zero, which cannot be an iterator.

Correction — Check Divisor Before Operation

One possible correction is checking the divisor before the modulo operation. In this example, see if the index i is zero before the modulo operation.

int mod_arr(int input)
{
    int arr[5];
    for(int i = 0; i < 5; i++)
    {
        if(i != 0)
        {
             arr[i] = input % i;
        }
        else
        {
             arr[i] = input;
        }
    }

    return arr[0]+arr[1]+arr[2]+arr[3]+arr[4];
}
Correction — Change Divisor

Another possible correction is changing the divisor to a nonzero integer. In this example, add one to the index before the % operation to avoid dividing by zero.

int mod_arr(int input)
{
    int arr[5];
    for(int i = 0; i < 5; i++)
    {
         arr[i] = input % (i+1);
    }

    return arr[0]+arr[1]+arr[2]+arr[3]+arr[4];
}
Issue

Tainted division operand detects division operations where one or both of the integer operands is from an unsecure source.

Risk

  • If the numerator is the minimum possible value and the denominator is -1, your division operation overflows because the result cannot be represented by the current variable size.

  • If the denominator is zero, your division operation fails possibly causing your program to crash.

These risks can be used to execute arbitrary code. This code is usually outside the scope of a program's implicit security policy.

Fix

Before performing the division, validate the values of the operands. Check for denominators of 0 or -1, and numerators of the minimum integer value.

Example - Division of Function Arguments
#include<stdio.h>
extern void print_int(int);

int taintedintdivision(void) {
    int num, den;
	scanf("%lf %lf",&num, &den);
	int r =  num/den;  //Noncompliant
    print_int(r);
    return r;
}

This example function divides two argument variables, then prints and returns the result. The argument values are unknown and can cause division by zero or integer overflow.

Correction — Check Values

One possible correction is to check the values of the numerator and denominator before performing the division.

#include<stdio.h>
#include <limits.h> 
extern void print_int(int);

int taintedintdivision(void) {
	int num, den;
	scanf("%lf %lf",&num, &den);
	int r = 0;
	if (den!=0 && !(num=INT_MIN && den==-1)){
		r =  num/den; 	
	}
	print_int(r);
	return r;
}
Issue

Tainted modulo operand checks the operands of remainder % operations. Bug Finder flags modulo operations with one or more tainted operands.

Risk

  • If the second remainder operand is zero, your remainder operation fails, causing your program to crash.

  • If the second remainder operand is -1, your remainder operation can overflow if the remainder operation is implemented based on the division operation that can overflow.

  • If one of the operands is negative, the operation result is uncertain. For C89, the modulo operation is not standardized, so the result from negative operands is implementation-defined.

These risks can be exploited by attackers to gain access to your program or the target in general.

Fix

Before performing the modulo operation, validate the values of the operands. Check the second operand for values of 0 and -1. Check both operands for negative values.

Example - Modulo with UInsecure Input
#include<stdio.h>
extern void print_int(int);

int taintedintmod(void) {
	int userden;
	scanf("%d",&userden);
    int rem =  128%userden;  //Noncompliant
    print_int(rem);
    return rem;
}

In this example, the function performs a modulo operation by using a user input. The input is not checked before calculating the remainder for values that can crash the program, such as 0 and -1.

Correction — Check Operand Values

One possible correction is to check the values of the operands before performing the modulo operation. In this corrected example, the modulo operation continues only if the second operand is greater than zero.

#include<stdio.h>
extern void print_int(int);

int taintedintmod(void) {
	int userden;
	scanf("%d",&userden);
	int rem = 0;
    if (userden > 0) { 
        rem = 128 % userden; 
    }
    print_int(rem);
    return rem;
}

Check Information

Group: Rule 04. Integers (INT)

Version History

Introduced in R2019a


1 This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.