Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

Off-by-one Error [CWE-193]

Off-by-one Error occurs when a program uses an improper maximum or minimum value that is one more or one less than the proper value.

Off-by-one Error [CWE-193]

Created: February 25, 2013
Latest Update: December 15, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Affected software
  4. Mitigations
  5. Severity and CVSS Scoring
  6. References
  7. Latest Related Security Advisories

Want to have an in-depth understanding of all modern aspects of
Off-by-one Error [CWE-193]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

An off-by-one condition is a logic error in size calculation when working with strings and arrays. It usually produces a boundary condition, which may lead to memory corruption.

Off-by-one errors are often a result of incorrect null-termination of string sequence, which usually starts at zero rather than one. This scenario typically arises when software performs loop iteration a number of times that is greater or less than expected.

When an off-by-one condition occurs, the program is able to read or write beyond the bounds of allocated memory, which can result in data corruption, application crash, or even lead to code execution.

The following example in C language uses a loop to read characters from an array:

  1. #include <stdio.h>
  2. #define MAX_CHARS 19
  3. int main ()
  4. {
  5.         int x;
  6.         int ite_loop = 0;
  7.         char filename[MAX_CHARS] = "My mother loves me.";
  8.         printf("Length of filename array: %d\n",strlen(filename));
  9.         for (x = 0; x <= MAX_CHARS; x++) {
  10.                 printf("%c",filename[x]);
  11.                 ite_loop += 1;
  12.         }
  13.         printf("\nIterations: %d\n",ite_loop);
  14.         return 0;
  15. }

However the exit loop condition "x <= MAX_CHARS" is incorrectly defined; therefore the loop reads one byte beyond the bounds of the array. Consider the following example:

  1. #include <stdio.h>
  2. #define MAX_CHAR   19
  3. #define MAX_VALUE  30
  4. int main ()
  5. {
  6.         int x;
  7.         int ite_loop = 0;
  8.         char filename[MAX_CHAR] = "My mother loves me.";
  9.         printf("Length of filename array: %d\n",strlen(filename));
  10.         for (x = 0; x <= MAX_VALUE; x++) {
  11.                 printf("%c",filename[x]);
  12.                 ite_loop += 1;
  13.         }
  14.         printf("\nIterations: %d\n",ite_loop);
  15.         return 0;
  16. }

In the previous code, the programmer has specified the wrong define directive variable in order to read the filename array. This mistake forces the code to read a few bytes beyond the bounds of the filename array; consequently it prints random data to memory:

CWE-193 exploitation example

An off-by-one error can be also introduced by improper usage of certain library functions. The following example uses the strncat function that always null-terminates its output string:

  1. strcpy(buf, "buffer:");
  2. strncat(buf, input, sizeof(buf)-strlen(buf));

The improper usage of the strncat function (third argument) produces an off-by-one condition, which depending on application architecture, may lead to code execution.

2. Potential impact

Off-by-one error leads to an unpredictable behavior of application, depending on nature of the vulnerability, and in most cases results in application crash or infinite loop. This weakness can also lead to buffer overflow and memory corruption. In cases of a heap-based buffer overflow, the most obvious result is the application crash. If off-by-one error leads to a stack-based buffer overflow, successful code execution is more likely.

How to Detect Off-by-one Error Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Affected software

Software written in languages such as C and C++ that do not perform memory management is potentially vulnerable to this weakness.

4. Mitigations

Developers should pay extra attention to correct size parameter accounting for null terminator when copying character arrays or performing manipulations on arrays.

5. Severity and CVSS Scoring

Off-by-one errors can be used to cause application crash, data tampering or execution of arbitrary code. Depending on software and vulnerable code, these weaknesses could be locally or remotely exploitable.

A common CVSSv3 score for locally exploitable vulnerability in application would look like this:
3.3 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L] – Low severity.

In cases of remote code execution, it is usually scored as:
10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] – High severity.

6. References

  1. CWE-193: Off-by-one Error []
  2. Off-by-one error []
  3. The Shellcoder's Handbook: Discovering and Exploiting Security Holes []

7. Off-by-one Error Vulnerabilities, Exploits and Examples

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential