Talk:Reviewing Code for Buffer Overruns and Overflows
Under "Walking the stack", the statement "the %n directive in printf()... takes an int* and writes the number of bytes so far to that location" is incorrect. "%n" is defined for the sscanf() function, but not for printf()... unless somebody knows of a non-standard implementation of C which does behave in this way, in which case that implementation should be identified.
Use DIM or sizeof
The good patterns sections should suggest to either use sizeof or the usual DIM macro instead of hard coding the length of the buffer. I.e.:
char smallBuffer; // size of 10 strncpy(smallBuffer, userId, sizeof smallBuffer); ...