The "gets" worm.

The following code is part of an internet server. When it runs,
standard input is connected to a client program who-knows-where.

char * gets(char * s)
{ for (int i = 0; true; i+=1)
  { int c = getchar();
    if (c == '\n')
    { s[i] = 0;
      return s; }
    else if (c == EOF)
    { s[i] = 0;
      if (i == 0)
        return NULL;
      else
        return s; }
    else
      s[i] = c; } }

void receive_input()
{ char line[20];
  gets(line);
  ...
  ... }

void process_connection()
{ ...
  ...
  receive_input();
  ...
  ... }

Assuming our regular stack-frame format: parameters at the
highest addresses, then the return address, then the saved
frame pointer, then local variables at the lowest addresses:

What happens if a mischievous client transmits the 28 characters
                  ABCDEFGHIJKLMNOPQRSTUVWX$1q{
The first 20 (A-T) fill up the array "line".
Where do the next 4 (UVWX) go? What is it that they overwrite?
And where do the next 4 ($1q{) go? What special thing do they
overwrite?

Assuming ASCII code, the four characters $1q{ are, in binary
   00100100 00110001 01110000 01111011
which when seen as a number in decimal is 607219835. What
would happen if some executable code just happened to be
in memory at location 607219835?

What would happen if 607219835 just happened to be the address
of the array variable "line"? And what if the characters ABCD
   01000001 01000010 01000011 01000100
just happened to share their binary representation with some
executable instruction? 

Or what if I wrote a little program in assembly code, converted
it to binary, used a table of ASCII codes to convert that to
a sequence of characters, and sent those characters instead of
the letters A to T?