An interesting example is where an off-by-one error (CAN 2001-0609,
Cfingerd 1.4.3) allowed the joining two buffers together because the
NUL byte was never written, and that made a format string vulnerability
easier to exploit.
http://www.securityfocus.com/archive/1/176087/2004-04-15/2004-04-
Yves Younan wrote:
More details in "Once upon a free()" by 'anonymous' in Phrack 57 article
9 http://www.phrack.org/show.php?p=57&a=9 and in my master thesis, page
48, http://fort-knox.org/thesis.php.
I liked your theses very much, actually I was more interested in how to
detect the vulnerabilitie
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ok yea, after I asked I was thinking about it, and I was thinking that say
if it were an array of int's, then an off by four (assuming 32b int), or
otherwise would make sense, and I figured off by five would be something
like that, was just wonderi
[EMAIL PROTECTED] said:
> that wasnt the question- well 'not how can overwritting 5 bytes help
> you', but what error do you code thats a miscount by 5 bytes?
The off-by-one errors I am familiar with have manipulated character
arrays, so each element is one byte long. When the index is off by
o
6:27 PM
> To: Steven M. Christey
> Cc: [EMAIL PROTECTED]
> Subject: Re: [SC-L] Off-by-one errors: a brief explanation
>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I will add that a phrack paper, which im pretty sure introduced the
> concept to the public
In the chapter on buffer overflow in Exploiting Software we have a brief
explanation of off-by-one NULL termination errors and show how they can
be exploited. This is on pages 304-308. We provide an example with
strncat(), and show how the stack looks before and after.
gem
See http://www.exploi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I will add that a phrack paper, which im pretty sure introduced the
concept to the public called 'overwriting the frame pointer', or something
similar to that effect explains in all its gruesome detail.
Basically if my memory serves me correctly, wh
Mads Rasmussen <[EMAIL PROTECTED]> said:
>I for one have difficulties understanding the "off-by-one"
>vulnerability. Maybe a kind soul would step in?
I'll try to tackle this. Corrections or additions are most welcome :)
In general, off-by-one bugs involve small errors in which an array of
siz