-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok yea, after I asked I was thinking about it, and I was thinking that say
if it were an array of int's, then an off by four (assuming 32b int), or
otherwise would make sense, and I figured off by five would be something
like that, was just wondering if anyone had any furether explanation. As
for it being a misnomer of sorts, that explains why I was confused.
anyways, thanks for the reply, thats what I was looking for.
Also on a complete sidenote, someone requested I upload one of my keys to
a key server, so that you guys can quit getting 'failed to verify'
responses from your news reader, will do- in the meantime the address of
the key is in the mailheaders (although I suppose the mailing list mgr
might be eating that header) If anyone else wants it before I get it to a
keyserver, let me know off list and I will forward it to you.
j
--
It is only the great men who are truly obscene. If they had not dared to
be obscene, they could never have dared to be great.
-- Havelock Ellis
On Thu, 6 May 2004, Steven M. Christey wrote:
>
> [EMAIL PROTECTED] said:
>
> > that wasnt the question- well 'not how can overwritting 5 bytes help
> > you', but what error do you code thats a miscount by 5 bytes?
>
> The off-by-one errors I am familiar with have manipulated character
> arrays, so each element is one byte long. When the index is off by
> one, you can write one extra byte.
>
> If you have an array of data structures that are 5 bytes each, then an
> "off-by-one" error (i.e., off by one *index*) gives you 5 bytes to
> work with. I don't know if any vulnerabilities of this flavor have
> been publicized, but I vaguely recall some "classic" buffer overflow
> vulnerabilities have involved multi-byte structures instead of
> single-byte characters.
>
> However, upon some investigation, it looks like there might be some
> inconsistent terminology going around.
>
> The only "off-by-five" error that I could find was reported for sudo
> by Global InterSec Research on April 2002:
>
> BUGTRAQ:20020402 [Global InterSec 2002041701] Sudo Password Prompt
> URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101974610509912&w=2
>
> original advisory at:
>
> http://www.globalintersec.com/adv/sudo-2002041701.txt
>
> This problem was *not* due to an index problem, which seems to be the
> core of what I call an off-by-one issue.
>
> In this "off-by-five" case, the researchers conclude: "it is possible
> to trick sudo into allocating less memory than it should for the
> prompt." In this case, sudo does not properly handle certain
> expansion characters in a string, which causes the string to be longer
> than expected.
>
> To me, that seems like a different kind of issue than an "off-by-one
> index" error, at least as it appears in the source code.
>
> So, the "off-by-five" problem is, in my opinion, a misnomer - at least
> from the perspective of the underlying programming error. From the
> exploit perspective, it's fine.
>
> And this is one of the reasons why, at CanSecWest this year, I
> mentioned that we need to be more precise about terminology :-)
>
> - Steve
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)
iD8DBQFAmsSSsKAeTAhLiCERAgPUAJ9O59RLFlRo2/N7CrbwYl7euXqKQwCdGu9L
fheWQFX67rZX+x3/sTxA49k=
=MDGe
-----END PGP SIGNATURE-----
