Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-369:Divide By Zero
Weakness ID:369
Version:v4.17
Weakness Name:Divide By Zero
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:Medium
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product divides a value by zero.

▼Extended Description

This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedP682Incorrect Calculation
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 682
Name: Incorrect Calculation
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC189Numeric Errors
MemberOfProhibitedC730OWASP Top Ten 2004 Category A9 - Denial of Service
MemberOfProhibitedC738CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT)
MemberOfProhibitedC739CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP)
MemberOfProhibitedC848The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM)
MemberOfProhibitedC872CERT C++ Secure Coding Section 04 - Integers (INT)
MemberOfProhibitedC873CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)
MemberOfProhibitedV884CWE Cross-section
MemberOfProhibitedC998SFP Secondary Cluster: Glitch in Computation
MemberOfProhibitedC1137SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)
MemberOfProhibitedC1158SEI CERT C Coding Standard - Guidelines 04. Integers (INT)
MemberOfProhibitedC1408Comprehensive Categorization: Incorrect Calculation
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 189
Name: Numeric Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 730
Name: OWASP Top Ten 2004 Category A9 - Denial of Service
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 738
Name: CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 739
Name: CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 848
Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 872
Name: CERT C++ Secure Coding Section 04 - Integers (INT)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 873
Name: CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 884
Name: CWE Cross-section
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 998
Name: SFP Secondary Cluster: Glitch in Computation
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1137
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1158
Name: SEI CERT C Coding Standard - Guidelines 04. Integers (INT)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1408
Name: Comprehensive Categorization: Incorrect Calculation
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-273Medium likelihood of exploit
MemberOfProhibitedBSBOSS-324DoS: Crash, Exit, or Restart (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-273
Name: Medium likelihood of exploit
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-324
Name: DoS: Crash, Exit, or Restart (impact)
▼Relevant To View
Relevant to the view"Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java - (1133)"
NatureMappingTypeIDName
MemberOfProhibitedC1137SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1137
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)
Relevant to the view"Weaknesses Addressed by the SEI CERT C Coding Standard - (1154)"
NatureMappingTypeIDName
MemberOfProhibitedC1158SEI CERT C Coding Standard - Guidelines 04. Integers (INT)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1158
Name: SEI CERT C Coding Standard - Guidelines 04. Integers (INT)
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC189Numeric Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 189
Name: Numeric Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC998SFP Secondary Cluster: Glitch in Computation
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 998
Name: SFP Secondary Cluster: Glitch in Computation
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
AvailabilityN/ADoS: Crash, Exit, or Restart

A Divide by Zero results in a crash.

Scope: Availability
Likelihood: N/A
Impact: DoS: Crash, Exit, or Restart
Note:

A Divide by Zero results in a crash.

▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
Example 1

The following Java example contains a function to compute an average but does not validate that the input value used as the denominator is not zero. This will create an exception for attempting to divide by zero. If this error is not handled by Java exception handling, unexpected results can occur.

Language: ( code)
N/A

Language: Java(Bad code)
public int computeAverageResponseTime (int totalTime, int numRequests) { return totalTime / numRequests; }

Language: ( code)
N/A

By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. The following Java code example will validate the input value, output an error message, and throw an exception.

Language: Java(Good code)
public int computeAverageResponseTime (int totalTime, int numRequests) throws ArithmeticException { if (numRequests == 0) { System.out.println("Division by zero attempted!"); throw ArithmeticException; } return totalTime / numRequests; }

Example 2

The following C/C++ example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur.

Language: ( code)
N/A

Language: C(Bad code)
double divide(double x, double y){ return x/y; }

Language: ( code)
N/A

By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. If the method is called and a zero is passed as the second argument a DivideByZero error will be thrown and should be caught by the calling block with an output message indicating the error.

Language: C(Good code)
const int DivideByZero = 10; double divide(double x, double y){ if ( 0 == y ){ throw DivideByZero; } return x/y; } ... try{ divide(10, 0); } catch( int i ){ if(i==DivideByZero) { cerr<<"Divide by zero error"; } }

Language: ( code)
N/A

Example 3

The following C# example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur.

Language: ( code)
N/A

Language: C#(Bad code)
int Division(int x, int y){ return (x / y); }

Language: ( code)
N/A

The method can be modified to raise, catch and handle the DivideByZeroException if the input value used as the denominator is zero.

Language: C#(Good code)
int SafeDivision(int x, int y){ try{ return (x / y); } catch (System.DivideByZeroException dbz){ System.Console.WriteLine("Division by zero attempted!"); return 0; } }

Language: ( code)
N/A

▼Observed Examples
ReferenceDescription
CVE-2007-3268
Invalid size value leads to divide by zero.
CVE-2007-2723
"Empty" content triggers divide by zero.
CVE-2007-2237
Height value of 0 triggers divide by zero.
Reference: CVE-2007-3268
Description:
Invalid size value leads to divide by zero.
Reference: CVE-2007-2723
Description:
"Empty" content triggers divide by zero.
Reference: CVE-2007-2237
Description:
Height value of 0 triggers divide by zero.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      Fuzzing
      Detection Method ID:DM-13
      Description:

      Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      OWASP Top Ten 2004A9CWE More SpecificDenial of Service
      CERT C Secure CodingFLP03-CN/ADetect and handle floating point errors
      CERT C Secure CodingINT33-CExactEnsure that division and remainder operations do not result in divide-by-zero errors
      The CERT Oracle Secure Coding Standard for Java (2011)NUM02-JN/AEnsure that division and modulo operations do not result in divide-by-zero errors
      Software Fault PatternsSFP1N/AGlitch in computation
      Taxonomy Name: OWASP Top Ten 2004
      Entry ID: A9
      Fit: CWE More Specific
      Entry Name: Denial of Service
      Taxonomy Name: CERT C Secure Coding
      Entry ID: FLP03-C
      Fit: N/A
      Entry Name: Detect and handle floating point errors
      Taxonomy Name: CERT C Secure Coding
      Entry ID: INT33-C
      Fit: Exact
      Entry Name: Ensure that division and remainder operations do not result in divide-by-zero errors
      Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
      Entry ID: NUM02-J
      Fit: N/A
      Entry Name: Ensure that division and modulo operations do not result in divide-by-zero errors
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP1
      Fit: N/A
      Entry Name: Glitch in computation
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-371
      Title: Handling Errors Exceptionally Well in C++
      Author: Alex Allain
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://www.cprogramming.com/tutorial/exceptions.html
      URL Date:2023-04-07
      Day:N/A
      Month:N/A
      Year:N/A
      Reference ID: REF-372
      Title: Exceptions and Exception Handling (C# Programming Guide)
      Author: Microsoft
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://msdn.microsoft.com/pl-pl/library/ms173160(v=vs.100).aspx
      URL Date:
      Day:N/A
      Month:N/A
      Year:N/A
      Details not found