...
The size of the array s is 3, although the size of the string literal is 4. Any subsequent use of the array as a null-terminated byte string can result in a vulnerability, because s is not properly null-terminated. (See STR32-C. Null-terminate byte strings as requiredDo not pass a non-null-terminated string to a library function that expects null termination.)
Implementation Details
This code compiles with no warning with Visual Studio 2013 and GCC 4.8.1. It produces a three-character array with no terminating null character, as specified by the standard.
...
Also, you should make clear in comments or documentation if a character array is, in fact, not a null-terminated byte string.
STR36-EX1EX2: If the character array must be larger than the string literal it is initialized with, you may explicitly specify an array bounds. This is particularly important if the array's contents might change during program execution.
...
...