if one complains about gets(), why not do the same with scanf(“%s”,…)?

Question

From man gets:

Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters ge

Answer 1

I am not sure why the man page for scanf doesn't mention the probability of a buffer overrun, but vanilla scanf is not a secure option. A rather dated link - http://blogs.msdn.com/b/rsamona/archive/2005/10/24/484449.aspx shows this as the case. Also, check this (not gcc but informative nevertheless) - http://blogs.msdn.com/b/parthas/archive/2006/12/06/application-crash-on-replacing-sscanf-with-sscanf-s.aspx