[chigley]

> Therefore, if we are copying into s2 and we only leak data after the 4th character, we can assume that by default in the uninitialized stack there is a null at s23.

I'm very inexperienced with reverse-engineering, and haven't finished the article yet, but is "s23" here a typo? I can't find any other reference to it in the article, and it doesn't make sense to me. Should it be "s2"? Thanks

[shadesandcolour]

It might be a slight typo, but I think that s23 is referring to the 3rd index in s2. Since the 4th character (or index 3 in a 0-index string), is the one that is causing the leak, this must be where the null character is.

[chigley]

That makes perfect sense, thank you!