Off-by-one-Error
An off - by-one error ( German as by-one next error or Plus Minus One syndrome, abbreviated OBOE; jokingly " Obi -Wan error" ) or ± 1 problem represents a specific type of programming errors, which can undermine the development of software and usually a special case of the fencepost problem, a logic problem of indexing are. In an off-by -one errors in either the size specification of a memory block to 1 is false or it can at maximum buffer size by one step too much is written to the memory, the memory of another buffer or a variable will be overwritten.
Occurrence
An off -by-one error makes a programmer if he has a control structure (eg, a loop ) designed flawed in dealing with data fields, arrays, vectors, lists, or other indexable data types in such a way that they either once too often or even too little will go through.
Follow
In the case of an off -by-one error is typically when writing the loop to process a field, the selected termination or continuation condition is false, so that the body of the loop a statement that the index - based access to the field, exactly once too often, or too little is executed once, which is either attempting to access an item of the field does not exist, or the last (or first ) element of the field is omitted. In the former case, an index - out-of -upper -range error (or similar) is often the most striking result, in the latter case, no error is sometimes visible as long as the total buffer size to be used or an index -out - Of -lower -range error is reported.
An off-by -one error may well lead to a crash of the program when the memory buffer occur after the important data that will be overwritten by the loop (eg pointer to a structure ). In principle, program code can be after a buffer in memory, which is usually an accidental overwriting also causes a crash, because the data do not correspond to valid machine instruction. By contrast, a memory protection fault is very unlikely because operating systems allocate memory in large blocks. One advantage of an off-by -one error for exploits is hardly conceivable that this happens to many conditions must be satisfied simultaneously.
Cause
The reason for off-by -one error is usually the fact that you in programming the counting starts at 0 and not with 1 case of an array variable, with 10 fields, this means that the last field has an index of 9 and not 10
Another source of error is the very frequent use of zero bytes, especially for strings, ie text. The null character is a character in text is not occurring with the value 0 and marks the end of a string, while the actual buffer for the string may be greater by a multiple. This must be at variable buffer contents, the buffer size is not constantly change and also specify the length of the string is not separately. Through the null byte is a character string, however, in principle one character longer than the string itself is long. For example, the string " Hello " is therefore being 5 characters long, but requires 6 characters in memory. Functions that determine the length of a string and return the null byte does not count.
Off- by-one errors can be easily undermined and are very hard to find, especially since they make very often only under very special conditions noticeable. Even with the examination of the source code, they can be very easily overlooked. To make matters worse, that indexes or offsets in the code are usually formed by variables or formulas. Measures of compiler / interpreter or possibly operating systems that register exceeding a buffer limit to every single byte, grab only in the special case that all of the reserved buffer is to be used.
Examples
Example of the C language:
Int net prices; int i; / * Net prices initialize * / ... for (i = 0; i < = 10; i ) net prices [i ] = net prices [i ] * 1:19; / / Set up VAT. In this case, it would have i < 10 and not i < = 10 hot, as was indeed 10 specified in the declaration as field size, but is due to the zero -based nature of C the maximum index 9.
Often this type of error results from the confusion that arises because people count from 1 to N, array indices go in many programming languages but from 0 to N -1. Then there is also the greater-than signs and the greater- equal sign, which can be confusing. Moreover, the termination condition fail complicated, so that frequently arise Off-by -one error at this point.
It is particularly dangerous to the case of a data structure but starts with 1, but loop counts is about to start, this data structure with 0.
Example of the C language:
Const int count rates; int net prices [ prices number ]; int i; int startPos; / / Position is always one greater than the index. int anzahlZuVerarbeitenderPreise; for (i = startPos -1; startPos anzahlZuVerarbeitenderPreise > i; i) net prices [i ] = net prices [i ] * 1:19; / / Set up VAT. Also can easily run an off- by-one error when it is not observed at range limits, if the lower and upper bound is inclusive or exclusive. Thus, the function returns the substring of C and Java the part of a string that includes the lower bound with the upper but not.
If you want, for example, from the word " Foobar " out to solve the partial word "bar", while passing by one of the letters, so you can easily make a mistake at the upper bound, even if you start correctly counting at 0. Since the word has the letters "bar" in the indices 3, 4 and 5, one is tempted substring ( 3, 5) call. As a result, however, would receive only "ba".