Editing Buffer overflow (section)

===Example===
{{further|topic=stack-based overflows|Stack buffer overflow}}

In the following example expressed in [[C (programming language)|C]], a program has two variables which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte [[big-endian]] integer, B.

<syntaxhighlight lang="c">
char           A[8] = "";
unsigned short B    = 1979;
</syntaxhighlight>

Initially, A contains nothing but zero bytes, and B contains the number 1979.

{| class="wikitable" style="width:32em; text-align:center;"
! style="white-space:nowrap;" | variable name
! colspan=8 style="background:#ddf;" | A
! colspan=2 style="background:#fdd;" | B
|- style="background:#ddf;"
! value
| colspan=8 | [<nowiki/>[[null string]]<nowiki/>]
| colspan=2 style="background:#fdd;" | 1979
|- style="background:#ddf;"
! hex value
| <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd>
| style="background:#fdd;" | <kbd>07</kbd> || style="background:#fdd;" | <kbd>BB</kbd>
|}

Now, the program attempts to store the [[null-terminated string]] {{code|"excessive"}} with [[ASCII]] encoding in the A buffer.
<syntaxhighlight lang="c">
strcpy(A, "excessive");
</syntaxhighlight>
{{code|"excessive"}} is 9 characters long and encodes to 10 bytes including the null terminator, but A can take only 8 bytes. By failing to check the length of the string, it also overwrites the value of B:

{| class="wikitable" style="width:32em; text-align:center;"
! style="white-space:nowrap;" | variable name
! colspan=8 style="background:#ddf;" | A
! colspan=2 style="background:#fdd;" | B
|- style="background:#ddf;"
! value
| <kbd>'e'</kbd> || <kbd>'x'</kbd> || <kbd>'c'</kbd> || <kbd>'e'</kbd> || <kbd>'s'</kbd> || <kbd>'s'</kbd> || <kbd>'i'</kbd> || <kbd>'v'</kbd>
| colspan=2 style="background:#dbd;" | <kbd>25856</kbd>
|- style="background:#ddf;"
! hex
| <kbd>65</kbd> || <kbd>78</kbd> || <kbd>63</kbd> || <kbd>65</kbd> || <kbd>73</kbd> || <kbd>73</kbd> || <kbd>69</kbd> || <kbd>76</kbd>
| style="background:#dbd;" | <kbd>65</kbd> || style="background:#dbd;" | <kbd>00</kbd>
|}

B's value has now been inadvertently replaced by a number formed from part of the character string. In this example "e" followed by a zero byte would become 25856.

Writing data past the end of allocated memory can sometimes be detected by the operating system to generate a [[segmentation fault]] error that terminates the process.

To prevent the buffer overflow from happening in this example, the call to <kbd>[[strcpy]]</kbd> could be replaced with <kbd>[[strlcpy]]</kbd>, which takes the maximum capacity of A (including a null-termination character) as an additional parameter and ensures that no more than this amount of data is written to A:

<syntaxhighlight lang="c">
strlcpy(A, "excessive", sizeof(A));
</syntaxhighlight>

When available, the <kbd>[[strlcpy]]</kbd> library function is preferred over <kbd>[[strncpy]]</kbd> which does not null-terminate the destination buffer if the source string's length is greater than or equal to the size of the buffer (the third argument passed to the function). Therefore <kbd>A</kbd> may not be null-terminated and cannot be treated as a valid C-style string.