BUGS: Never use gets().
--Linux man page
, section 3
gets was the original and simplest possible way to read a string from any input stream until a newline symbol is reached. gets' sole parameter is a char*, a pointer to the head of the array of char into which the string should be read.
gets is most notable for the parameter it does not have. gets has no "maximum read limit", nor does it have any way of figuring out how large your input array is. Therefore, gets will cheerfully run off the end of your array, into whatever memory happens to follow it, should it see input larger than the amount of memory allocated.
The most benign possible result of such a bug, known as a buffer overrun, is a quick and clean death by segmentation fault. Unfortunately, many incompetent programmers would generally simply increase the size of the array in this case, rather than actually fix the problem by using some other input system call. A segmentation fault is a clean crash of the program, and the kindest possible result. What is much more popular, especially among script kiddies, is to use the buffer overrun as an exploit into the program, to make it do things it was never intended to do. Raw machine code can be entered into the string, and careful placement of values can overwrite a return address, causing the instruction pointer to jump onto the stack, where the malicious code has been placed. The program will then execute whatever instructions it has been given, which are frequently detrimental to the health of the computer. An especially careful cracker will end the code with commands to return the program to its normal flow, none the wiser for its catastrophic error.
Use of gets, therefore, is like standing up and waving a very large sign labeled "PLEASE HACK ME". No program that uses gets can be made to be secure or stable, as there is no way to use gets and avoid the risk of a buffer overrun.
Uses of gets or similar input functions that do not check bounds are very popular causes of disastrous security holes in professional software.