Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-193 (Off-by-one错误) — Vulnerability Class 64

64 vulnerabilities classified as CWE-193 (Off-by-one错误). AI Chinese analysis included.

CWE-193 represents an off-by-one error, a logic flaw where a product calculates or utilizes an incorrect maximum or minimum value that is exactly one unit greater or lesser than the correct limit. This weakness typically arises in boundary conditions during array indexing, loop iterations, or buffer allocation, leading to memory corruption or unexpected program termination. Attackers exploit these miscalculations to trigger buffer overflows, allowing them to overwrite adjacent memory structures with malicious payloads. By exceeding intended bounds, adversaries can execute arbitrary code, escalate privileges, or cause denial-of-service conditions. To prevent such vulnerabilities, developers must rigorously validate boundary conditions, employ static analysis tools to detect logic errors, and use high-level languages with automatic bounds checking. Additionally, thorough code reviews focusing on loop limits and array accesses ensure that integer arithmetic accurately reflects the intended data structure sizes, thereby eliminating the discrepancy that enables exploitation.

MITRE CWE Description
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Common Consequences (3)
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability
This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
IntegrityModify Memory
If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
Confidentiality, Availability, Access ControlExecute Unauthorized Code or Commands, Bypass Protection Mechanism
This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.
Mitigations (1)
ImplementationWhen copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
Examples (2)
The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.
int i; unsigned int numWidgets; Widget **WidgetList; numWidgets = GetUntrustedSizeValue(); if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) { ExitError("Incorrect number of widgets requested!"); } WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *)); printf("WidgetList ptr=%p\n", WidgetList); for(i=0; i<numWidgets; i++) { WidgetList[i] = InitializeWidget(); } WidgetList[numWidgets] = NULL; showWidgets(WidgetList);
Bad · C
In this example, the code does not account for the terminating null character, and it writes one byte beyond the end of the buffer.
char firstname[20]; char lastname[20]; char fullname[40]; fullname[0] = '\0'; strncat(fullname, firstname, 20); strncat(fullname, lastname, 20);
Bad · C
char firstname[20]; char lastname[20]; char fullname[40]; fullname[0] = '\0'; strncat(fullname, firstname, sizeof(fullname)-strlen(fullname)-1); strncat(fullname, lastname, sizeof(fullname)-strlen(fullname)-1);
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2019-10131 ImageMagick Studio ImageMagick 缓冲区错误漏洞 — ImageMagick 7.7 -2019-04-30
CVE-2019-8272 UltraVNC 安全漏洞 — UltraVNC 9.8 -2019-03-09
CVE-2019-8268 UltraVNC 安全漏洞 — UltraVNC 9.8 -2019-03-09
CVE-2017-2618 Linux kernel 安全漏洞 — kernel 5.5 -2018-07-27

Vulnerabilities classified as CWE-193 (Off-by-one错误) represent 64 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.