Example - 1

The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.

char last_name[20];printf ("Enter your last name: ");scanf ("%s", last_name);

The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.

Example - 2

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.

char buf[24];strcpy(buf, string);...void manipulate_string(char * string){}

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Example - 3

The code below calls the gets() function to read in data from the command line.

char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...}

However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Example - 4

In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file.

clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);strcpy(hostname, clienthp->h_name);logOutput("Accepted client connection from host ", hostname);// process client request...close(clientsocket);int clientlen = sizeof(struct sockaddr_in);int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen);if (clientsocket >= 0) {}
struct hostent *clienthp;char hostname[MAX_LEN];// create server socket, bind to server address and listen on socket...// accept client connections and process requestsint count = 0;for (count = 0; count < MAX_CONNECTIONS; count++) {}close(serversocket);
......

However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method.