Buffer overflow issue.

So I was told if you use

Code:

char whatever[BUFSIZE +1]

you could prevent buffer overflow. However on compiling a test program, it returned BUFSIZE to be have 513 bytes max. Doesn't that mean if you go over 514 then you can have a buffer overflow.

Or does it make a difference if you use

Code:

scanf()

or

Code:

gets()

to get the user inputs.

Here is my code to determine BUFSIZ

Code:

/* scanfTEST.c */

#include <stdio.h>
#include <ctype.h>
#define PRAISE "My that is a nice name"

int main (void)

{

    char name[BUFSIZ+1];
    int size, nameLEN;

    printf("What is your name?\n");
    scanf(" %s", name); /* ignores leading whitespace but not the following whitespace */
    size = sizeof (name);
    nameLEN = strlen(name);

    printf("Hello, %s. %s\n", name, PRAISE);
    printf("Your name can hold max %d bytes. But its is now of %d charaters\n", size, nameLEN);
    system("pause");
    return (0);


}

>you could prevent buffer overflow.
No, you're confusing the operations of the input buffer with buffer overrun, where data is written beyond the boundaries of memory that you own.

>scanf()
Use of scanf is fine as long as you use it correctly. Otherwise it's awkward and unsafe.

>gets()
There's no way to make gets safe, forget it even exists and you'll be better off.

Originally posted by Prelude
>>you could prevent buffer overflow.
No, you're confusing the operations of the input buffer with buffer overrun, where data is written beyond the boundaries of memory that you own.

Could you explain a bit more please. Buffer overun is when data is written beyond what? your memory/storage capacity?. So buffer overflow is what? beyond your input buffer? ex

Code:

char buffer[40]

anything beyond that is overflow? Is that correct. Would you even be able to input data beyound what is specified in the array?

>Could you explain a bit more please.
The input buffer is a mechanism for efficiency. If the buffer is 512 bytes, then to avoid expensive I/O operations any new data will be passed to the buffer, not written to the final destination. When the buffer is full, it writes its contents to the final destination. The important thing to notice is that if there is more data, this process continues whether your program can handle it or not. If the input buffer holds 40 characters but the user enters 50, your program still gets 50.

Buffer overflow is a bug in your code where your program receives more data than it can handle and begins trashing memory that it doesn't own. If you have an array that can only hold 40 characters, yet the user enters 50 and you aren't prepared for 50, that is buffer overflow. Buffer overflow and buffer overrun are synonyms. The distinction you need to make is the system's input buffer and your program's input buffer.