Why is this an issue?
When using typical C functions, it’s up to the developer to make sure the size of the buffer to be written to is large enough to avoid buffer
overflows. Buffer overflows can cause the program to crash at a minimum. At worst, a carefully crafted overflow can cause malicious code to be
executed.
This rule reports use of the following insecure functions, for which knowing the required size is not generally possible: gets() and
getpw().
In such cases. The only way to prevent buffer overflow while using these functions would be to control the execution context of the
application.
It is much safer to secure the application from within and to use an alternate, secure function which allows you to define the maximum number of
characters to be written to the buffer:
Noncompliant code example
gets(str); // Noncompliant; `str` buffer size is not checked and it is vulnerable to overflows
Compliant solution
gets_s(str, sizeof(str)); // Prevent overflows by enforcing a maximum size for `str` buffer
Resources
