![GPN CTF 2026 Recipe for Disaster writeup — gets() overflows char note[32] into an adjacent int price field](https://cybersecurityelite.com/images/articles/gpn-ctf-2026-recipe-for-disaster.webp)
GPN CTF 2026 — Recipe for Disaster: gets() Overflow into an Adjacent int
Platform GPN CTF 2026 (kitctf) Difficulty Easy OS Pwn — stack buffer overflow, adjacent-field overwrite Tags reading the Item struct layout to confirm note and price are adjacent with no padding, sending 32 bytes of A plus four bytes of 0xff to set price to -1, observing verify_total trigger print_coupon, recognising gets() as a deprecated-in-C11 vulnerability since the Morris Worm (1988) Recipe for Disaster is the GPN CTF 2026 pwn challenge, and the most direct teaching example you’ll ever see of why gets was removed from C11. A note-taking program reads into a 32-byte note field with gets() — no length limit. Type 35 characters and the 33rd through 36th overflow into the adjacent int price field in the same Item struct. Set price = -1 and verify_total() triggers print_coupon() → flag. The flag itself names the lesson: ...