🎄 Join our Annual Holiday wargame and win prizes!


Off by One

A type of programming error where the program accesses or manipulates memory one byte beyond the bounds of an allocated buffer. This type of vulnerability often occurs in situations where the programmer makes an error in handling loop counters, array indices, or string termination characters. As a result, the program may read, write, or manipulate unintended memory locations, leading to unexpected behavior or security vulnerabilities.

Remediation:

  • *Input Validation Strategy*: Assume all input is malicious and use an *"accept known good"* input validation strategy. Reject any input that does not conform to specifications
  • When performing input validation, consider all potentially relevant properties including length, type, range of acceptable value, missing or extra inputs, syntax etc.
  • Validate and correct calculations for any length argument, buffer size calculation or offset. Furthermore be way of relying on sentinels (special characters such as NUL) in untrusted inputs.

Metadata

  • Severity: medium
  • Slug: off-by-one

CWEs

  • 125: Out-of-bounds Read

Available Labs

Open C labs in SecDim Play for this vulnerability.

Deco line
Deco line

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now
Deco line
Deco line

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.

Read more