--- a/handouts/ho03.tex	Fri Oct 10 12:44:36 2014 +0100
+++ b/handouts/ho03.tex	Fri Oct 10 13:09:06 2014 +0100
@@ -505,9 +505,30 @@
 While the program above contains clearly a programming 
 mistake (forgotten format string), things are not as simple
 when the application reads data from the user and prompts
-responses containing the user input. 
+responses containing the user input. Consider the slight
+variant of the program above
+
+\lstinputlisting[language=C]{../progs/C5.c}
 
-\subsubsection*{Caveats}
+\noindent Here the programmer actually to take extra care to
+not fall pray to a buffer overflow attack, but in the process
+made the program susceptible to a format string attack.
+Clearly the \pcode{printf} function in Line 7 contains now
+an explicit format string, but because the commandline
+input is copied using the function \pcode{snprintf} the
+result will be the same---the string can be exploited 
+by embedding format strings into the user input. Here the
+programmer really cannot be blamed (much) because by using
+\pcode{snprintf} he or she tried to make sure only 10
+characters get copied into the local buffer---in this way
+avoiding the obvious buffer overflow attack.
+
+\subsubsection*{Caveats and Defences}
+
+How can we defend against these attacks? Well, a reflex could 
+be to blame programmers. Precautions should be taken that 
+buffers cannot been overfilled and format strings should not
+be forgotten. 
 
 \bigskip\bigskip
 \subsubsection*{A Crash-Course for GDB}