CWE-193 Base Draft

Off-by-one Error

An off-by-one error occurs when a program incorrectly calculates a boundary, such as a loop counter or array index, by being one unit too high or too low. This often leads to buffer overflows,…

Definition

What is CWE-193?

An off-by-one error occurs when a program incorrectly calculates a boundary, such as a loop counter or array index, by being one unit too high or too low. This often leads to buffer overflows, memory corruption, or unexpected program behavior.
This common programming mistake typically happens when developers use incorrect comparison operators (like <= instead of <) or miscalculate loop termination conditions. It's especially prevalent when dealing with zero-based indexing in arrays, strings, or memory buffers, where the boundary between the last valid element and the first invalid one is easy to misjudge. To prevent off-by-one errors, carefully review all loop conditions and boundary checks, paying close attention to whether your logic uses inclusive or exclusive upper limits. Using standardized container iteration methods (like iterators in C++ or for-each loops in other languages) instead of manual index calculations can eliminate many of these errors entirely.
Real-world impact

Real-world CVEs caused by CWE-193

  • CVE-2003-0252

    Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.

  • CVE-2001-1391

    Off-by-one vulnerability in driver allows users to modify kernel memory.

  • CVE-2002-0083

    Off-by-one error allows local users or remote malicious servers to gain privileges.

  • CVE-2002-0653

    Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.

  • CVE-2002-0844

    Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.

  • CVE-1999-1568

    Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.

  • CVE-2004-0346

    Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.

  • CVE-2004-0005

    Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.

  2. 2

    However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption.

  3. 3

    In this example, the code does not account for the terminating null character, and it writes one byte beyond the end of the buffer.

  4. 4

    The first call to strncat() appends up to 20 characters plus a terminating null character to fullname[]. There is plenty of allocated space for this, and there is no weakness associated with this first call. However, the second call to strncat() potentially appends another 20 characters. The code does not account for the terminating null character that is automatically added by strncat(). This terminating null character would be written one byte beyond the end of the fullname[] buffer. Therefore an off-by-one error exists with the second strncat() call, as the third argument should be 19.

  5. 5

    When using a function like strncat() one must leave a free byte at the end of the buffer for a terminating null character, thus avoiding the off-by-one weakness. Additionally, the last argument to strncat() is the number of characters to append, which must be less than the remaining space in the buffer. Be careful not to just use the total size of the buffer.

Vulnerable code example

Vulnerable C

The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.

Vulnerable C 
int i;
  unsigned int numWidgets;
  Widget **WidgetList;
  numWidgets = GetUntrustedSizeValue();
  if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {
  	ExitError("Incorrect number of widgets requested!");
  }
  WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));
  printf("WidgetList ptr=%p\n", WidgetList);
  for(i=0; i<numWidgets; i++) {
  	WidgetList[i] = InitializeWidget();
  }
  WidgetList[numWidgets] = NULL;
  showWidgets(WidgetList);
Secure code example

Secure C

When using a function like strncat() one must leave a free byte at the end of the buffer for a terminating null character, thus avoiding the off-by-one weakness. Additionally, the last argument to strncat() is the number of characters to append, which must be less than the remaining space in the buffer. Be careful not to just use the total size of the buffer.

Secure C 
char firstname[20];
  char lastname[20];
  char fullname[40];
  fullname[0] = '\0';
  strncat(fullname, firstname, sizeof(fullname)-strlen(fullname)-1);
  strncat(fullname, lastname, sizeof(fullname)-strlen(fullname)-1);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-193

  • Implementation When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
Detection signals

How to detect CWE-193

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-193 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-193?

An off-by-one error occurs when a program incorrectly calculates a boundary, such as a loop counter or array index, by being one unit too high or too low. This often leads to buffer overflows, memory corruption, or unexpected program behavior.

How serious is CWE-193?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-193?

MITRE lists the following affected platforms: C.

How can I prevent CWE-193?

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

How does Plexicus detect and fix CWE-193?

Plexicus's SAST engine matches the data-flow signature for CWE-193 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-193?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/193.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-193

CWE-682 Parent

Incorrect Calculation

This vulnerability occurs when software performs a calculation that produces wrong or unexpected results, which are then used to make…

CWE-128 Sibling

Wrap-around Error

A wrap-around error happens when a variable exceeds the maximum value its data type can hold, causing it to unexpectedly reset to a very…

CWE-131 Sibling

Incorrect Calculation of Buffer Size

This vulnerability occurs when a program miscalculates the amount of memory needed for a buffer, potentially leading to a buffer overflow…

CWE-1335 Sibling

Incorrect Bitwise Shift of Integer

This vulnerability occurs when a program attempts to shift an integer's bits by an invalid amount—either a negative number or a value…

CWE-1339 Sibling

Insufficient Precision or Accuracy of a Real Number

This vulnerability occurs when a program uses a data type or algorithm that cannot accurately represent or calculate the fractional part…

CWE-135 Sibling

Incorrect Calculation of Multi-Byte String Length

This vulnerability occurs when software incorrectly measures the length of strings containing multi-byte or wide characters, leading to…

CWE-190 Sibling

Integer Overflow or Wraparound

Integer overflow or wraparound occurs when a calculation produces a numeric result that exceeds the maximum value a variable can hold.…

CWE-191 Sibling

Integer Underflow (Wrap or Wraparound)

Integer underflow occurs when a subtraction operation results in a value smaller than the data type's minimum limit, causing the value to…

CWE-369 Sibling

Divide By Zero

A divide-by-zero error occurs when software attempts to perform a division operation where the denominator is zero.

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo