CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-193: Off-by-one Error

 
Off-by-one Error
Weakness ID: 193 (Weakness Base)Status: Draft
+ Description

Description Summary

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
+ Alternate Terms
off-by-five:

An "off-by-five" error was reported for sudo in 2002 (CVE-2002-0184), but that is more like a "length calculation" error.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2003-0252
CVE-2001-1391
CVE-2002-0083
CVE-2002-0653
CVE-2002-0844
CVE-1999-1568
CVE-2004-0346
CVE-2004-0005
CVE-2003-0356
CVE-2001-1496
CVE-2004-0342This is an interesting example that might not be an off-by-one.
CVE-2001-0609An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.
CVE-2002-1745Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.
CVE-2002-1816Off-by-one buffer overflow.
CVE-2002-1721Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.
CVE-2003-0466Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.
CVE-2003-0625Off-by-one error allows read of sensitive memory via a malformed request.
CVE-2006-4574Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
CanPrecedeWeakness ClassWeakness Class119Failure to Constrain Operations within the Bounds of a Memory Buffer
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base170Improper Null Termination
Research Concepts1000
CanPrecedeWeakness VariantWeakness Variant617Reachable Assertion
Research Concepts1000
ChildOfWeakness ClassWeakness Class682Incorrect Calculation
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory741CERT C Secure Coding Section 07 - Characters and Strings (STR)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
+ Relationship Notes

This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.

+ Research Gaps

Under-studied. It requires careful code analysis or black box testing, where inputs of excessive length might not cause an error. Off-by-ones are likely triggered by extensive fuzzing, with the attendant diagnostic problems.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVEROff-by-one Error
CERT C Secure CodingSTR31-CGuarantee that storage for strings has sufficient space for character data and the null terminator
+ References
Halvar Flake. "Third Generation Exploits". presentation at Black Hat Europe 2001. <http://www.blackhat.com/presentations/bh-europe-01/halvar-flake/bh-europe-01-halvarflake.ppt>.
Steve Christey. "Off-by-one errors: a brief explanation". Secprog and SC-L mailing list posts. 2004-05-05. <http://marc.theaimsgroup.com/?l=secprog&m=108379742110553&w=2>.
klog. "The Frame Pointer Overwrite". Phrack Issue 55, Chapter 8. 1999-09-09. <http://kaizo.org/mirrors/phrack/phrack55/P55-08>.
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code (The buffer overflow chapter)". Addison-Wesley. February 2004.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Alternate Terms, Common Consequences, Relationships, Observed Example, Relationship Notes, Taxonomy Mappings
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
Page Last Updated: October 29, 2009