Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-193 (Off-by-one错误) — Vulnerability Class 58

58 vulnerabilities classified as CWE-193 (Off-by-one错误). AI Chinese analysis included.

CWE-193 represents an off-by-one error, a logic flaw where a product calculates or utilizes an incorrect maximum or minimum value that is exactly one unit greater or lesser than the correct limit. This weakness typically arises in boundary conditions during array indexing, loop iterations, or buffer allocation, leading to memory corruption or unexpected program termination. Attackers exploit these miscalculations to trigger buffer overflows, allowing them to overwrite adjacent memory structures with malicious payloads. By exceeding intended bounds, adversaries can execute arbitrary code, escalate privileges, or cause denial-of-service conditions. To prevent such vulnerabilities, developers must rigorously validate boundary conditions, employ static analysis tools to detect logic errors, and use high-level languages with automatic bounds checking. Additionally, thorough code reviews focusing on loop limits and array accesses ensure that integer arithmetic accurately reflects the intended data structure sizes, thereby eliminating the discrepancy that enables exploitation.

MITRE CWE Description
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Common Consequences (3)
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability
This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
IntegrityModify Memory
If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
Confidentiality, Availability, Access ControlExecute Unauthorized Code or Commands, Bypass Protection Mechanism
This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.
Mitigations (1)
ImplementationWhen copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
Examples (2)
The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.
int i; unsigned int numWidgets; Widget **WidgetList; numWidgets = GetUntrustedSizeValue(); if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) { ExitError("Incorrect number of widgets requested!"); } WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *)); printf("WidgetList ptr=%p\n", WidgetList); for(i=0; i<numWidgets; i++) { WidgetList[i] = InitializeWidget(); } WidgetList[numWidgets] = NULL; showWidgets(WidgetList);
Bad · C
In this example, the code does not account for the terminating null character, and it writes one byte beyond the end of the buffer.
char firstname[20]; char lastname[20]; char fullname[40]; fullname[0] = '\0'; strncat(fullname, firstname, 20); strncat(fullname, lastname, 20);
Bad · C
char firstname[20]; char lastname[20]; char fullname[40]; fullname[0] = '\0'; strncat(fullname, firstname, sizeof(fullname)-strlen(fullname)-1); strncat(fullname, lastname, sizeof(fullname)-strlen(fullname)-1);
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-32668 bhyve(8) privileged guest escape via USB controller — FreeBSD 8.2 -2024-09-05
CVE-2023-44444 GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability — GIMP 7.8 -2024-05-03
CVE-2024-1441 Libvirt: off-by-one error in udevlistinterfacesbystatus() 5.5 Medium2024-03-11
CVE-2023-46247 Vyper has incorrect storage layout for contracts containing large arrays — vyper 7.5 High2023-12-13
CVE-2023-41880 Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64 — wasmtime 2.2 Low2023-09-15
CVE-2023-28709 Apache Tomcat: Fix for CVE-2023-24998 is incomplete — Apache Tomcat 7.5 -2023-05-22
CVE-2023-27477 Wasmtime 安全漏洞 — wasmtime 3.1 Low2023-03-08
CVE-2023-0818 Off-by-one Error in gpac/gpac — gpac/gpac 7.1 -2023-02-13
CVE-2022-36354 OpenImageIO 安全漏洞 — OpenImageIO 5.3 Medium2022-12-23
CVE-2022-41916 Read one byte past a buffer when normalizing Unicode — heimdal 5.9 Medium2022-11-15
CVE-2022-3821 systemd 安全漏洞 — systemd 5.5 -2022-11-08
CVE-2022-3872 QEMU 安全漏洞 — QEMU 6.5 -2022-11-07
CVE-2022-3103 Linux kernel 安全漏洞 — Linux 8.4 -2022-09-26
CVE-2021-3999 glibc 安全漏洞 — glibc 7.8 -2022-08-24
CVE-2020-27793 radare2 安全漏洞 — radare2 5.5 -2022-08-19
CVE-2022-23400 Accusoft ImageGear缓冲区错误漏洞 — ImageGear 8.1 -2022-05-03
CVE-2021-21938 Accusoft ImageGear 缓冲区错误漏洞 — ImageGear 9.8 Critical2022-04-14
CVE-2021-4070 Off-by-one Error in v2fly/v2ray-core — v2fly/v2ray-core 9.1 -2022-02-23
CVE-2021-3930 QEMU 安全漏洞 — QEMU 6.5 -2022-02-18
CVE-2021-44007 Siemens Jt2go 安全漏洞 — JT2Go 5.5 -2021-12-14
CVE-2021-23017 F5 NGINX Controller 安全漏洞 — Nginx Web Server, Nginx Plus 9.4 -2021-06-01
CVE-2020-14510 OFF-BY-ONE ERROR CWE-193 — GateManager 9.8 Critical2020-08-25
CVE-2020-14508 OFF-BY-ONE ERROR CWE-193 — GateManager 8.1 High2020-08-25
CVE-2020-10062 Packet length decoding error in MQTT — zephyr 9.0 Critical2020-06-05
CVE-2019-10131 ImageMagick Studio ImageMagick 缓冲区错误漏洞 — ImageMagick 7.7 -2019-04-30
CVE-2019-8272 UltraVNC 安全漏洞 — UltraVNC 9.8 -2019-03-09
CVE-2019-8268 UltraVNC 安全漏洞 — UltraVNC 9.8 -2019-03-09
CVE-2017-2618 Linux kernel 安全漏洞 — kernel 5.5 -2018-07-27

Vulnerabilities classified as CWE-193 (Off-by-one错误) represent 58 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.