缓冲区溢出c（gets函数）

Question

There is the following code, I need to return an access level that's under 0x30 and not equal to 0 or 2:

int login() {
int accessLevel = 0xff;
char username[16];
char password[32];
printf("Username (max 15 characters): ");
gets(username);
printf("Password (max 31 characters): ");
gets(password);

if (!strcmp(username, "admin") && !strcmp(password, "{{ create_long_password() }}")) {
    accessLevel = 2;
} else if (!strcmp(username, "root") && !strcmp(password, "{{ create_long_password() }}")) {
    accessLevel = 0;
} else if (!strcmp(username, "artist") && !strcmp(password, "my-password-is-secret")) {
    accessLevel = 0x80;
}

return accessLevel;
}

I entered into the user name 16 'a' which reset the accessLevel to 0(and then added space which set access to 20 and gives me the desired output). But, I would expect the buffer to overwrite password, not accessLevel since it's the "following memory". I imagine I'm misunderstanding how the buffer works and would like an explanation. Also, why did the 16th char reset to 0?

Thanks in advance!

Answer 1

Strcmp will match an arbitrary amount of chars, given by the first instance of null termination char. All string literals must be null terminated with \\0

Using strncmp will only compare and amount of chars given in the arguements

Answer 2

The ordering of local variables on the stack (assuming there is a stack) is not guaranteed to be in any particular order. It depends largely on the types of the variables and the required alignment of each of them, and can change depending on the compiler or on optimization settings.

In this case, it sounds like the variables were pushed onto the stack in the order they appear in code, which would mean that their addresses would progressively decrease.