•Never, ever, ever use gets(). Only under
freak conditions will it NOT cause a buffer overflow.
•Also avoid functions like strcpy() and strcat(). Use strncpy() and strncat()
instead.
•Use precision specifiers with the scanf() family of functions (scanf(), fscanf(), sscanf(), etc.). Otherwise they will not do any bounds
checking for you.
•Be careful with sprintf(). Use
precision specifiers or use snprintf() instead.
•Never use variable format strings with the printf() family of
functions.
•Every file or path handling library function has its own quirks, so be
careful.
•Functions like fgets(), strncpy(), and memcpy() are okay, but make sure your buffer is the size you say it
is. Be careful of off-by-one
errors.
•When using streadd() or strecpy(), make sure the destination buffer is four times the size of the source
buffer.
•A very useful tool to aid with finding unsafe library function calls
during code inspection are static
analyzers such as ITS4.
•Testing will catch many, but not all, buffer overflows. Code inspection in combination with testing will produce
the best results.