Description

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Modes of Introduction:

– Implementation

Related Weaknesses

CWE-682
CWE-682
CWE-617
CWE-170
CWE-119

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: Modify Memory

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

Potential Mitigations

Phase: Implementation

Description: 

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

CVE References

• CVE-2003-0252
  • Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.

• CVE-2001-1391
  • Off-by-one vulnerability in driver allows users to modify kernel memory.

• CVE-2002-0083
  • Off-by-one error allows local users or remote malicious servers to gain privileges.

• CVE-2002-0653
  • Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.

• CVE-2002-0844
  • Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.

• CVE-1999-1568
  • Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.

• CVE-2004-0346
  • Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.

• CVE-2004-0005
  • Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.

• CVE-2003-0356
  • Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code.

• CVE-2001-1496
  • Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code.

• CVE-2004-0342
  • This is an interesting example that might not be an off-by-one.

• CVE-2001-0609
  • An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.

• CVE-2002-1745
  • Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.

• CVE-2002-1816
  • Off-by-one buffer overflow.

• CVE-2002-1721
  • Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.

• CVE-2003-0466
  • Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.

• CVE-2003-0625
  • Off-by-one error allows read of sensitive memory via a malformed request.

• CVE-2006-4574
  • Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.