DBZ.GENERAL

Assigned zero constant value might be used in a division by zero

An attempt to do a division or modulo operation using zero as the divisor causes a runtime error. Division by zero defects often occur due to ineffective error handling or race conditions, and typically cause abnormal program termination. Before a value is used as the divisor of a division or modulo operation in C/C++ code, it must be checked to confirm that it is not equal to zero.

The DBZ checkers look for instances in which a zero constant value is used as the divisor of a division or modulo operation.

The DBZ.GENERAL checker flags situations in which a variable that has been assigned a zero constant value locally or as the result of a function call might subsequently be used explicitly or passed to a function that might use it as a divisor of a division or modulo operation without checking it for the zero value.

Vulnerability and risk

Integer division by zero usually result in the failure of the process or an exception. It can also result in success of the operation, but gives an erroneous answer. Floating-point division by zero is more subtle. It depends on the implementation of the compiler. If the compiler is following the IEEE floating-point standard (IEEE 754), then the result of the floating-point division by zero has a well-defined result. However, the C and C++ standards do not enforce compliance to IEEE 754. Thus, floating-point division by zero has an undefined behavior in C and C++ and might result in the failure of the process or an exception.

Division by zero issues typically occur due to ineffective exception handling. To avoid this vulnerability, check for a zero value before using it as the divisor of a division or modulo operation.

Vulnerable code example

Copy
  int compute_mean(int array[], size_t size)
  {
      int sum = 0;
      for (size_t i = 0; i < size; ++i) {
          sum += array[i];
      }
      return sum / size;
  }
  
  void use_mean()
  {
      int size = 0;
      int mean = compute_mean(0, size);
  }

Klocwork produces an issue report at line 13 indicating that the value of the variable 'size' is 0 at the call of 'compute_mean' and it is used as the divisor of the division operation on line 7. A division by zero can produce unexpected and unintended results.

Fixed code example

Copy
 int compute_mean(int array[], size_t size)
  {
      if (size == 0) {
          return 0; // or exceptional case.
      }

      int sum = 0;
      for (size_t i = 0; i < size; ++i) {
          sum += array[i];
     }
     return sum / size;
  }
 
  void use_mean()
  {
      int size = 0;
      int mean = compute_mean(0, size);
  }

The problem from the previous snippet is fixed: the input variable 'size' is checked for the exceptional case of the zero constant value in line 3 and prevents the division from happening in this specific case.

Security training

Application security training materials provided by Secure Code Warrior.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.

Limitations

This checker does not deal with global variable assigned to zero outside of the current analyzed function. This means that defects involving global variables may not be detected by this checker. For example:
Copy
  static int myzero = 0;
 
  int do_dbz()
  {
     return 23 / myzero;
  }
This checker does not deal with abstract symbolic expressions evaluating to zero. This means that defects involving this kind of reasoning may not be detected by this checker. For example:
Copy
  void do_dbz_func(int x, int y)
  {
     int z = 23;
     z /= x - y;    // Here, x == y will give 0 for x - y. Divide by zero will not detected.
  }

  void do_dbz(int x)
  {   
     do_dbz_func(x, x);   // Divide by zero will happen here since x - x = 0. Not detected by this checker.
 }