Secure Coding mailing list archives
Re: Off-by-one errors: a brief explanation
From: jnf <jnf () datakill org>
Date: Fri, 07 May 2004 14:01:33 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok yea, after I asked I was thinking about it, and I was thinking that say if it were an array of int's, then an off by four (assuming 32b int), or otherwise would make sense, and I figured off by five would be something like that, was just wondering if anyone had any furether explanation. As for it being a misnomer of sorts, that explains why I was confused. anyways, thanks for the reply, thats what I was looking for. Also on a complete sidenote, someone requested I upload one of my keys to a key server, so that you guys can quit getting 'failed to verify' responses from your news reader, will do- in the meantime the address of the key is in the mailheaders (although I suppose the mailing list mgr might be eating that header) If anyone else wants it before I get it to a keyserver, let me know off list and I will forward it to you. j -- It is only the great men who are truly obscene. If they had not dared to be obscene, they could never have dared to be great. -- Havelock Ellis On Thu, 6 May 2004, Steven M. Christey wrote:
[EMAIL PROTECTED] said:that wasnt the question- well 'not how can overwritting 5 bytes help you', but what error do you code thats a miscount by 5 bytes?The off-by-one errors I am familiar with have manipulated character arrays, so each element is one byte long. When the index is off by one, you can write one extra byte. If you have an array of data structures that are 5 bytes each, then an "off-by-one" error (i.e., off by one *index*) gives you 5 bytes to work with. I don't know if any vulnerabilities of this flavor have been publicized, but I vaguely recall some "classic" buffer overflow vulnerabilities have involved multi-byte structures instead of single-byte characters. However, upon some investigation, it looks like there might be some inconsistent terminology going around. The only "off-by-five" error that I could find was reported for sudo by Global InterSec Research on April 2002: BUGTRAQ:20020402 [Global InterSec 2002041701] Sudo Password Prompt URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101974610509912&w=2 original advisory at: http://www.globalintersec.com/adv/sudo-2002041701.txt This problem was *not* due to an index problem, which seems to be the core of what I call an off-by-one issue. In this "off-by-five" case, the researchers conclude: "it is possible to trick sudo into allocating less memory than it should for the prompt." In this case, sudo does not properly handle certain expansion characters in a string, which causes the string to be longer than expected. To me, that seems like a different kind of issue than an "off-by-one index" error, at least as it appears in the source code. So, the "off-by-five" problem is, in my opinion, a misnomer - at least from the perspective of the underlying programming error. From the exploit perspective, it's fine. And this is one of the reasons why, at CanSecWest this year, I mentioned that we need to be more precise about terminology :-) - Steve
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFAmsSSsKAeTAhLiCERAgPUAJ9O59RLFlRo2/N7CrbwYl7euXqKQwCdGu9L fheWQFX67rZX+x3/sTxA49k= =MDGe -----END PGP SIGNATURE-----
Current thread:
- Off-by-one errors: a brief explanation Steven M. Christey (May 05)
- Re: Off-by-one errors: a brief explanation jnf (May 06)
- RE: Off-by-one errors: a brief explanation Dave Paris (May 06)
- Message not available
- Re: Off-by-one errors: a brief explanation Mads Rasmussen (May 07)
- Re: Off-by-one errors: a brief explanation jnf (May 06)
- Re: Off-by-one errors: a brief explanation Pascal Meunier (May 07)
- <Possible follow-ups>
- RE: Off-by-one errors: a brief explanation Gary McGraw (May 06)
- Re: Off-by-one errors: a brief explanation Steven M. Christey (May 06)
- Re: Off-by-one errors: a brief explanation jnf (May 07)