...
In this example derived from mercy 06, the programmer mistakenly fails to set the local variable mesg to the msg argument in the log_error function. When the sprintf() call dereferences the mesg pointer, it actually dereferences the address that was supplied in the username buffer, which in this case is the address of "password". The sprintf() call copies all of the data supplied in "password" until a NULL byte is reached. Because the "password" buffer is larger than buffer, a buffer overflow occurs.
...