The problem is that the gets() API itself is flawed, not the implementation. The API is basically "Here's my buffer, please fill it with a line of input." There is no parameter to specify how big the buffer is, so the gets() implementation has no way of knowing when it has written too much.
The only way to fix it would be to change the API to add a size parameter. Changing an API that is already in use is just asking for trouble. If you changed it without recompiling EVERY program that uses it, then the old programs would effectively be passing a bogus size parameter on the stack, which is worse than no size at all. So changing the API would require everyone to rewrite their code, and at that point, you might as well rewrite the code to use fgets() instead, which already has a size parameter.
So the solution in practice is to leave gets() the way it is, so that existing users don't have to change their code. For many programs this may be OK if there is little or no risk of an oversized input line. But for any new code, or when touching old code, the recommendation is to use fgets() instead.
Slashdot Mirror
The problem is that the gets() API itself is flawed, not the implementation. The API is basically "Here's my buffer, please fill it with a line of input." There is no parameter to specify how big the buffer is, so the gets() implementation has no way of knowing when it has written too much.
The only way to fix it would be to change the API to add a size parameter. Changing an API that is already in use is just asking for trouble. If you changed it without recompiling EVERY program that uses it, then the old programs would effectively be passing a bogus size parameter on the stack, which is worse than no size at all. So changing the API would require everyone to rewrite their code, and at that point, you might as well rewrite the code to use fgets() instead, which already has a size parameter.
So the solution in practice is to leave gets() the way it is, so that existing users don't have to change their code. For many programs this may be OK if there is little or no risk of an oversized input line. But for any new code, or when touching old code, the recommendation is to use fgets() instead.