CWE-193: Off-by-one Error
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
常见后果
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability
说明: This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
影响范围: Integrity
技术影响: Modify Memory
说明: If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
影响范围: Confidentiality Availability Access Control
技术影响: Execute Unauthorized Code or Commands Bypass Protection Mechanism
说明: This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.
潜在缓解措施
阶段: Implementation
描述: When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2003-0252
Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.
参考: CVE-2001-1391
Off-by-one vulnerability in driver allows users to modify kernel memory.
参考: CVE-2002-0083
Off-by-one error allows local users or remote malicious servers to gain privileges.
参考: CVE-2002-0653
Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.
参考: CVE-2002-0844
Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.
参考: CVE-1999-1568
Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.
参考: CVE-2004-0346
Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.
参考: CVE-2004-0005
Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.
参考: CVE-2003-0356
Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code.
参考: CVE-2001-1496
Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code.
参考: CVE-2004-0342
This is an interesting example that might not be an off-by-one.
参考: CVE-2001-0609
An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.
参考: CVE-2002-1745
Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.
参考: CVE-2002-1816
Off-by-one buffer overflow.
参考: CVE-2002-1721
Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.
参考: CVE-2003-0466
Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.
参考: CVE-2003-0625
Off-by-one error allows read of sensitive memory via a malformed request.
参考: CVE-2006-4574
Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Off-by-one Error | - |
| CERT C Secure Coding | STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator | - |