CompTIA CASP+ (CAS-004) — Question 329

A security architect examines a section of code and discovers the following:

char username[20]
char password[20]
gets(username)
checkUserExists(username)

Which of the following changes should the security architect require before approving the code for release?

Answer options

• A. Allow only alphanumeric characters for the username.
• B. Make the password variable longer to support more secure passwords.
• C. Prevent more than 20 characters from being entered.
• D. Add a password parameter to the checkUserExists function.

Correct answer: C

Explanation

The correct answer is C because the gets() function does not check the length of the input, which can lead to buffer overflow vulnerabilities. Allowing input longer than 20 characters would overwrite adjacent memory. Options A, B, and D, while potentially valid improvements, do not directly address the immediate security risk posed by the lack of input length validation.