English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CWE-193 Detail

CWE-193

Off-by-one Error
Draft
2006-07-19 00:00 +00:00
2023-06-29 00:00 +00:00
CWE Mitre.org

Alerte pour un CWE

Stay informed of any changes for a specific CWE.
Alert management

Off-by-one Error

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

Note: This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
IntegrityModify Memory

Note: If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
Confidentiality
Availability
Access Control		Execute Unauthorized Code or Commands, Bypass Protection Mechanism

Note: This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Observed Examples

Reference Description
CVE-2003-0252Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.
CVE-2001-1391Off-by-one vulnerability in driver allows users to modify kernel memory.
CVE-2002-0083Off-by-one error allows local users or remote malicious servers to gain privileges.
CVE-2002-0653Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.
CVE-2002-0844Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.
CVE-1999-1568Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.
CVE-2004-0346Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.
CVE-2004-0005Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.
CVE-2003-0356Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code.
CVE-2001-1496Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code.
CVE-2004-0342This is an interesting example that might not be an off-by-one.
CVE-2001-0609An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.
CVE-2002-1745Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.
CVE-2002-1816Off-by-one buffer overflow.
CVE-2002-1721Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.
CVE-2003-0466Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.
CVE-2003-0625Off-by-one error allows read of sensitive memory via a malformed request.
CVE-2006-4574Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.

Potential Mitigations

Phases : Implementation
When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.

References

REF-155

Third Generation Exploits
Halvar Flake.
https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-europe-01%2Fhalvar-flake%2Fbh-europe-01-halvarflake.ppt&wdOrigin=BROWSELINK

REF-156

Off-by-one errors: a brief explanation
Steve Christey.
http://marc.info/?l=secprog&m=108379742110553&w=2

REF-157

The Frame Pointer Overwrite
klog.
https://kaizo.org/mirrors/phrack/phrack55/P55-08

REF-140

Exploiting Software: How to Break Code
Greg Hoglund, Gary McGraw.
https://www.amazon.com/Exploiting-Software-How-Break-Code/dp/0201786958

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Submission

Name Organization Date Date Release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2008-09-08 +00:00 updated Alternate_Terms, Common_Consequences, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-12-28 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2010-12-13 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Observed_Examples, References, Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated References
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2017-05-03 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, References, Taxonomy_Mappings
CWE Content Team MITRE 2018-03-27 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2019-06-20 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2022-04-28 +00:00 updated Research_Gaps
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.