Re: Off-by-one errors: a brief explanation

[jnf <jnf () datakill org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok yea, after I asked I was thinking about it, and I was thinking that say 
if it were an array of int's, then an off by four (assuming 32b int), or 
otherwise  would make sense, and I figured off by five would be something 
like that, was just wondering if anyone had any furether explanation. As 
for it being a misnomer of sorts, that explains why I was confused.
anyways, thanks for the reply, thats what I was looking for.

Also on a complete sidenote, someone requested I upload one of my keys to 
a key server, so that you guys can quit getting 'failed to verify' 
responses from your news reader, will do- in the meantime the address of 
the key is in the mailheaders (although I suppose the mailing list mgr 
might be eating that header) If anyone else wants it before I get it to a 
keyserver, let me know off list and I will forward it to you.

j



 -- 

It is only the great men who are truly obscene.  If they had not dared to 
be obscene, they could never have dared to be great.
                -- Havelock Ellis
 


On Thu, 6 May 2004, Steven M. Christey wrote:

> [EMAIL PROTECTED] said:
>
> > that wasnt the question- well 'not how can overwritting 5 bytes help
> > you', but what error do you code thats a miscount by 5 bytes?
>
> The off-by-one errors I am familiar with have manipulated character
> arrays, so each element is one byte long.  When the index is off by
> one, you can write one extra byte.
>
> If you have an array of data structures that are 5 bytes each, then an
> "off-by-one" error (i.e., off by one *index*) gives you 5 bytes to
> work with.  I don't know if any vulnerabilities of this flavor have
> been publicized, but I vaguely recall some "classic" buffer overflow
> vulnerabilities have involved multi-byte structures instead of
> single-byte characters.
>
> However, upon some investigation, it looks like there might be some
> inconsistent terminology going around.
>
> The only "off-by-five" error that I could find was reported for sudo
> by Global InterSec Research on April 2002:
>
>    BUGTRAQ:20020402 [Global InterSec 2002041701] Sudo Password Prompt
>    URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101974610509912&w=2
>
>    original advisory at:
>
>      http://www.globalintersec.com/adv/sudo-2002041701.txt
>
> This problem was *not* due to an index problem, which seems to be the
> core of what I call an off-by-one issue.
>
> In this "off-by-five" case, the researchers conclude: "it is possible
> to trick sudo into allocating less memory than it should for the
> prompt."  In this case, sudo does not properly handle certain
> expansion characters in a string, which causes the string to be longer
> than expected.
>
> To me, that seems like a different kind of issue than an "off-by-one
> index" error, at least as it appears in the source code.
>
> So, the "off-by-five" problem is, in my opinion, a misnomer - at least
> from the perspective of the underlying programming error.  From the
> exploit perspective, it's fine.
>
> And this is one of the reasons why, at CanSecWest this year, I
> mentioned that we need to be more precise about terminology :-)
>
> - Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAmsSSsKAeTAhLiCERAgPUAJ9O59RLFlRo2/N7CrbwYl7euXqKQwCdGu9L
fheWQFX67rZX+x3/sTxA49k=
=MDGe
-----END PGP SIGNATURE-----