Off-by-one Error [CWE-193] — The Hacktivists

1. Description
………………………………

An off-by-one condition is a logic error in size calculation when working with strings and arrays. It usually produces a boundary condition, which may lead to memory corruption.

#include <stdio.h>
#define MAX_CHARS 19
int main ()
{
int x;
int ite_loop = 0;
char filename[MAX_CHARS] = "My mother loves me.";
printf("Length of filename array: %d\n",strlen(filename));
for (x = 0; x <= MAX_CHARS; x++) {
printf("%c",filename[x]);
ite_loop += 1;
}
printf("\nIterations: %d\n",ite_loop);
return 0;
}
#include <stdio.h>
#define MAX_CHAR 19
#define MAX_VALUE 30
int main ()
{
int x;
int ite_loop = 0;
char filename[MAX_CHAR] = "My mother loves me.";
printf("Length of filename array: %d\n",strlen(filename));
for (x = 0; x <= MAX_VALUE; x++) {
printf("%c",filename[x]);
ite_loop += 1;
}
printf("\nIterations: %d\n",ite_loop);
return 0;
}
strcpy(buf, "buffer:");
strncat(buf, input, sizeof(buf)-strlen(buf));

2. Potential impact
………………………………

Off-by-one error leads to unpredictable behaviour of the application, depending on the nature of the vulnerability, and in most cases results in application crash or infinite loop. This weakness can also lead to buffer overflow and memory corruption. In cases of a heap-based buffer overflow, the most obvious result is the application crash. If an off-by-one error leads to a stack-based buffer overflow, successful code execution is more likely.

3. Attack patterns
………………………………

Software written in languages such as C and C++ that do not perform memory management is potentially vulnerable to this weakness.

4. Affected software
………………………………

Developers should pay extra attention to correct size parameter accounting for null terminator when copying character arrays or performing manipulations on arrays.

5. Severity and CVSS Scoring
……………………………………..

Off-by-one errors can be used to cause an application crash, data tampering or execution of arbitrary code. Depending on the software and vulnerable code, these weaknesses could be locally or remotely exploitable.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store