Tokyohot | N0541

stack (login): 0x7fffffffe5c0 buf[0x40] The login function does allocate any heap memory; it uses the stack buffer buf . However, after the call to login , the program returns to menu , which later accesses the users array in the global BSS. The overflow in login does not directly touch the global variable – it only corrupts the stack.

there is a hidden detail: the program copies the password from the stack buffer into the heap password field using strcpy : tokyohot n0541