Sometimes a program will place certain restrictions on buffers. This type of data sanity-checking can prevent many vulnerabilities. Consider the following example program, which is used to update product descriptions in a fictitious database. The first argument is the product code, and the second is the updated description. This program doesn't actually update a database, but it does have an obvious vulnerability in it.

#include <stdio.h> #include <stdlib.h> #include <string.h> #define MAX_ID_LEN 40 #define MAX_DESC_LEN 500 /* Barf a message and exit. */ void barf(char *message, void *extra) { printf(message, extra); exit(1); } /* Pretend this function updates a product description in a database. ...