CWE-193 Detail

CWE-193

Off-by-one Error
Draft
2006-07-19
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Off-by-one Error

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

Note: This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
IntegrityModify Memory

Note: If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
Confidentiality
Availability
Access Control		Execute Unauthorized Code or Commands, Bypass Protection Mechanism

Note: This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Observed Examples

References Description

CVE-2003-0252

Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.

CVE-2001-1391

Off-by-one vulnerability in driver allows users to modify kernel memory.

CVE-2002-0083

Off-by-one error allows local users or remote malicious servers to gain privileges.

CVE-2002-0653

Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.

CVE-2002-0844

Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.

CVE-1999-1568

Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.

CVE-2004-0346

Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.

CVE-2004-0005

Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.

CVE-2003-0356

Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code.

CVE-2001-1496

Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code.

CVE-2004-0342

This is an interesting example that might not be an off-by-one.

CVE-2001-0609

An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.

CVE-2002-1745

Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.

CVE-2002-1816

Off-by-one buffer overflow.

CVE-2002-1721

Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.

CVE-2003-0466

Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.

CVE-2003-0625

Off-by-one error allows read of sensitive memory via a malformed request.

CVE-2006-4574

Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.

Potential Mitigations

Phases : Implementation
When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.

References

REF-155

Third Generation Exploits
Halvar Flake.
https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-europe-01%2Fhalvar-flake%2Fbh-europe-01-halvarflake.ppt&wdOrigin=BROWSELINK

REF-156

Off-by-one errors: a brief explanation
Steve Christey.
http://marc.info/?l=secprog&m=108379742110553&w=2

REF-157

The Frame Pointer Overwrite
klog.
https://kaizo.org/mirrors/phrack/phrack55/P55-08

REF-140

Exploiting Software: How to Break Code
Greg Hoglund, Gary McGraw.
https://www.amazon.com/Exploiting-Software-How-Break-Code/dp/0201786958

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Submission

Name Organization Date Date release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2008-09-08 +00:00 updated Alternate_Terms, Common_Consequences, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-12-28 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2010-12-13 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Observed_Examples, References, Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated References
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2017-05-03 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, References, Taxonomy_Mappings
CWE Content Team MITRE 2018-03-27 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2019-06-20 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2022-04-28 +00:00 updated Research_Gaps
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes