Writing 0 symbols is pointless

Vulnerability potential None
DDoS potential None

Write size is 0 symbol long

Impact

A write is issued with a length of zero — fwrite(buf, 1, 0, f), fwrite(buf, 0, n, f), or write(fd, buf, 0). No bytes leave the program. The call is inert, but it is almost always a symptom of a broken size calculation: a length that collapsed to 0 where the real number of bytes was meant (a forgotten strlen, a sizeof mistake, an off-by-one, or an uninitialized counter). The caller typically believes the data was persisted when nothing was written, which leads to truncated files, empty records, or messages that never reach the peer.

The harm is the silent loss of the intended output, not the no-op write itself.

Vulnerability potential

A zero-length write has no security impact: it emits no data, cannot overflow, and cannot corrupt anything. The ratings are None/None. The only indirect note is that the same miscomputed length, if reused for a buffer copy elsewhere, could be unsafe — but that would be a separate defect at the copy site, not this write.

Technical details

fwrite semantics

fwrite(ptr, size, nmemb, stream) writes size * nmemb bytes and returns the number of elements written. If size or nmemb is 0, it writes nothing and returns 0. A success check of the form fwrite(...) == nmemb then sees 0 == 0 and wrongly reports success, masking the fact that nothing was stored.

write(2) semantics

write(fd, buf, 0) returns 0 with no side effect (for a regular file). Since a short or zero return from write is also how partial writes are signalled, a loop that advances by the return value can spin or terminate incorrectly when the count was accidentally zero.

Where the zero comes from

Common origins: sizeof(ptr) instead of the buffer length, writing strlen(s) of an empty/uninitialized string, a length field defaulted to 0, or end - start with equal bounds.

Catching the issue

Compiler warnings

-Wall -Wextra flags some constant zero sizes and the sizeof confusions that cause them.

Static analysis

The analyzer emitting this diagnostic, together with Cppcheck and clang-tidy, constant-folds the size argument and reports a provably zero-length write, and catches the usual sizeof/strlen mistakes behind it.

Runtime checks and review

Assert that computed write sizes are non-zero on paths that must emit data, and compare fwrite/write return values against the requested count (and handle short writes) instead of assuming the call wrote everything.

How to reproduce

Run this: the write asks for 0 bytes, returns 0, the success check passes, yet the file ends up empty — observe that nothing was written despite the “ok” report.

#include <stdio.h>
#include <string.h>

int main(void)
{
    FILE *f = fopen("/tmp/zw_demo.txt", "w");
    if (!f) return 1;

    const char *msg = "important record\n";
    size_t len = 0;                  /* should be strlen(msg) */

    size_t n = fwrite(msg, 1, len, f);   /* writes nothing */
    if (n == len)                    /* 0 == 0: false success */
        printf("write ok\n");        /* but the file is empty */

    fclose(f);
    return 0;
}