Do all C programs have buffer overflows?
No. Clearly, there are examples of programs which provably do not have buffer overflows or are free of them for all practical purposes, yet every C or C++ program which is widely used on the Internet has had one or more buffer overflow problems in its history. Every single one, except possibly for qmail, authored by secure coding practices guru DanBernstein. Someone here asserted that the Java runtime is an example of a C/C++ program with no buffer overflows. Java certainly has had buffer overflows in the past. (http://lists.netsys.com/pipermail/full-disclosure/2002-November/002642.html). Does it now? Your guess is as good as mine. Additionally, the Java VM is exactly the kind of program that will have fewer problems with buffer overflows, because the bulk of its work involves trundling through Java bytecode. It doesn’t work with arbitrary string data very much. The Java compiler, which works with string data a great deal, is typically written in Java, and isn’t a useful attack vector
