Off-by-one Error - Security Implications

Security Implications

A common off-by-one error which results in a security related bug is caused by misuse of the libc strncat routine. A common misconception with strncat is that the guaranteed null termination will not write beyond the maximum length. In reality it will write a terminating null character one byte beyond the maximum length specified. The following code contains such a bug:

void foo (char *s) { char buf; memset(buf, 0, sizeof(buf)); strncat(buf, s, sizeof(buf)); // Final parameter should be: sizeof(buf)-1 return; }

Off-by-one errors are common in using the C library because it is not consistent with respect to whether one needs to subtract 1 byte -- functions like fgets and strncpy will never write past the length given them (fgets subtracts 1 itself, and only retrieves (length - 1) bytes), whereas others, like strncat will write past the length given them. So the programmer has to remember for which functions he or she needs to subtract 1.

On some systems (little endian architectures in particular) this can result in the overwriting of the least significant byte of the frame pointer. This can cause an exploitable condition where an attacker can hijack the local variables for the calling routine.

One approach that often helps avoid such problems is to use variants of these functions that calculate how much to write based on the total length of the buffer, rather than the maximum number of characters to write. Such functions include strlcat and strlcpy, and are often considered "safer" because they make it easier to avoid accidentally writing past the end of a buffer. (In the code example above, calling strlcat(buf, s, sizeof(buf)) instead would remove the bug.)