Example - 1

While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack-based buffer overflows:

char buf[BUFSIZE];strcpy(buf, argv[1]);#define BUFSIZE 256int main(int argc, char **argv) {}

The buffer size is fixed, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.

Example - 2

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

// /*routine that ensures user_supplied_addr is in the right format for conversion */// 
struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp);validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name);void host_lookup(char *user_supplied_addr){}

This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker.

Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476).