diff --git a/input/edit.i64 b/input/edit.i64
index c2e8353..91ff49f 100644
Binary files a/input/edit.i64 and b/input/edit.i64 differ
diff --git a/input/recv.i64 b/input/recv.i64
index 7310622..7655d44 100644
Binary files a/input/recv.i64 and b/input/recv.i64 differ
diff --git a/output/recv_patch/recv b/output/recv_patch/recv
index e0b71a6..88be3ea 100755
Binary files a/output/recv_patch/recv and b/output/recv_patch/recv differ
diff --git a/src/Extract_code b/src/Extract_code
index 9bd4f14..78abb34 160000
--- a/src/Extract_code
+++ b/src/Extract_code
@@ -1 +1 @@
-Subproject commit 9bd4f149a51a3953a9ec15d108e655be11ede790
+Subproject commit 78abb34f2bb4325eb0da265ebdac8d54ade50a4f
diff --git a/src/chat_log.json b/src/chat_log.json
index 1eebcfd..320d18f 100644
--- a/src/chat_log.json
+++ b/src/chat_log.json
@@ -1404,31 +1404,5 @@
             "role": "assistant",
             "content": "Yes, reason here: The `recv` function in the `echo_handler` function is vulnerable to a buffer overflow. The `recv` function is called with a buffer size of `0x400` (1024 bytes), but the `buffer` array is only 256 bytes in size. This means that if more than 256 bytes are received, it will overflow the `buffer` array, potentially overwriting adjacent memory and leading to undefined behavior or security vulnerabilities."
         }
-    ],
-    [
-        {
-            "role": "user",
-            "content": "Please analyze whether the following program contains a dprintf format string vulnerability. If you find dprintf format string vulnerability please answer with 'yes, reason here'.\n//Function: echo_handler ->0x4199190 7 perm->5\nint __cdecl echo_handler(int sock)\n{\n  char buffer[256]; // [rsp+10h] [rbp-100h] BYREF\n\n  memset(buffer, 0, sizeof(buffer));\n  return recv(sock, buffer, 0x100uLL, 0) > 0 && dprintf(sock, buffer) > 0;\n}\n\n\n//Function: main ->0x4199603 7 perm->5\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n  uint16_t v3; // ax\n  char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF\n  int addrlen; // [rsp+18h] [rbp-28h] BYREF\n  int opt; // [rsp+1Ch] [rbp-24h] BYREF\n  sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF\n  int new_socket; // [rsp+38h] [rbp-8h]\n  int server_fd; // [rsp+3Ch] [rbp-4h]\n\n  opt = 1;\n  addrlen = 16;\n  server_fd = socket(2, 1, 0);\n  if ( !server_fd )\n  {\n    perror(\"socket failed\");\n    exit(1);\n  }\n  if ( setsockopt(server_fd, 1, 15, &opt, 4u) )\n  {\n    perror(\"setsockopt\");\n    exit(1);\n  }\n  address.sin_family = 2;\n  address.sin_addr.s_addr = 0;\n  address.sin_port = htons(0x2B00u);\n  if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 )\n  {\n    perror(\"bind failed\");\n    exit(1);\n  }\n  if ( listen(server_fd, 3) < 0 )\n  {\n    perror(\"listen\");\n    exit(1);\n  }\n  printf(\"TCP server listening on port %d\\n\", 11008);\n  new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen);\n  if ( new_socket < 0 )\n  {\n    perror(\"accept\");\n    exit(1);\n  }\n  inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u);\n  v3 = ntohs(address.sin_port);\n  printf(\"Accept %s:%d\\n\", client_addr_str, v3);\n  while ( echo_handler(new_socket) )\n    ;\n  close(new_socket);\n  return 0;\n}\n\n\n//Function: backdoor ->0x4200059 7 perm->5\nint __cdecl backdoor()\n{\n  char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF\n  char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF\n\n  new_argv[1] = 0LL;\n  new_envp[0] = \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\";\n  new_envp[1] = 0LL;\n  dup2(4, 0);\n  dup2(4, 1);\n  dup2(4, 2);\n  execve(\"/bin/sh\", new_argv, new_envp);\n  return 0;\n}\n\n\n"
-        },
-        {
-            "role": "assistant",
-            "content": "Yes, the program contains a format string vulnerability in the `echo_handler` function. The vulnerability arises from the use of `dprintf(sock, buffer)` where `buffer` is directly passed as the format string. Since `buffer` is populated with data received from the network via the `recv` function, an attacker can send a specially crafted string to exploit this vulnerability.\n\nIf the attacker sends format specifiers (like `%s`, `%x`, `%n`, etc.) in the data received into `buffer`, these will be interpreted by `dprintf` as format specifiers, potentially leading to information disclosure, denial of service, or even arbitrary code execution, depending on the context and the specific format specifiers used.\n\nTo mitigate this vulnerability, the code should use a fixed format string and pass `buffer` as an argument, like so:\n\n```c\ndprintf(sock, \"%s\", buffer);\n```\n\nThis change ensures that any format specifiers in `buffer` are treated as literal text rather than being interpreted by `dprintf`."
-        },
-        {
-            "role": "user",
-            "content": "Please analyze whether the following program contains a dprintf format string vulnerability. If you find dprintf format string vulnerability please answer with 'yes, reason here'.\n//Function: echo_handler ->0x4199190 7 perm->5\nint __cdecl echo_handler(int sock)\n{\n  char buffer[256]; // [rsp+10h] [rbp-100h] BYREF\n\n  memset(buffer, 0, sizeof(buffer));\n  return recv(sock, buffer, 0x100uLL, 0) > 0 && dprintf(sock, buffer) > 0;\n}\n\n\n//Function: main ->0x4199603 7 perm->5\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n  uint16_t v3; // ax\n  char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF\n  int addrlen; // [rsp+18h] [rbp-28h] BYREF\n  int opt; // [rsp+1Ch] [rbp-24h] BYREF\n  sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF\n  int new_socket; // [rsp+38h] [rbp-8h]\n  int server_fd; // [rsp+3Ch] [rbp-4h]\n\n  opt = 1;\n  addrlen = 16;\n  server_fd = socket(2, 1, 0);\n  if ( !server_fd )\n  {\n    perror(\"socket failed\");\n    exit(1);\n  }\n  if ( setsockopt(server_fd, 1, 15, &opt, 4u) )\n  {\n    perror(\"setsockopt\");\n    exit(1);\n  }\n  address.sin_family = 2;\n  address.sin_addr.s_addr = 0;\n  address.sin_port = htons(0x2B00u);\n  if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 )\n  {\n    perror(\"bind failed\");\n    exit(1);\n  }\n  if ( listen(server_fd, 3) < 0 )\n  {\n    perror(\"listen\");\n    exit(1);\n  }\n  printf(\"TCP server listening on port %d\\n\", 11008);\n  new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen);\n  if ( new_socket < 0 )\n  {\n    perror(\"accept\");\n    exit(1);\n  }\n  inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u);\n  v3 = ntohs(address.sin_port);\n  printf(\"Accept %s:%d\\n\", client_addr_str, v3);\n  while ( echo_handler(new_socket) )\n    ;\n  close(new_socket);\n  return 0;\n}\n\n\n//Function: backdoor ->0x4200059 7 perm->5\nint __cdecl backdoor()\n{\n  char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF\n  char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF\n\n  new_argv[1] = 0LL;\n  new_envp[0] = \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\";\n  new_envp[1] = 0LL;\n  dup2(4, 0);\n  dup2(4, 1);\n  dup2(4, 2);\n  execve(\"/bin/sh\", new_argv, new_envp);\n  return 0;\n}\n\n\n"
-        },
-        {
-            "role": "assistant",
-            "content": "Yes, the program contains a format string vulnerability in the `echo_handler` function. The vulnerability arises from the use of `dprintf(sock, buffer)` without specifying a format string. This allows an attacker to send a format string as input through the socket, which will be interpreted by `dprintf` as a format specifier. This can lead to various security issues, such as reading from or writing to arbitrary memory locations, depending on the format string used by the attacker. To mitigate this vulnerability, you should use a format specifier in `dprintf`, such as `dprintf(sock, \"%s\", buffer)`, to ensure that the input is treated as a string and not as a format specifier."
-        },
-        {
-            "role": "user",
-            "content": "Please analyze whether the following program contains a dprintf format string vulnerability. If you find dprintf format string vulnerability please answer with 'yes, reason here'.\n//Function: echo_handler ->0x4199190 7 perm->5\nint __cdecl echo_handler(int sock)\n{\n  char buffer[256]; // [rsp+10h] [rbp-100h] BYREF\n\n  memset(buffer, 0, sizeof(buffer));\n  return recv(sock, buffer, 0x100uLL, 0) > 0 && dprintf(sock, buffer) > 0;\n}\n\n\n//Function: main ->0x4199603 7 perm->5\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n  uint16_t v3; // ax\n  char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF\n  int addrlen; // [rsp+18h] [rbp-28h] BYREF\n  int opt; // [rsp+1Ch] [rbp-24h] BYREF\n  sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF\n  int new_socket; // [rsp+38h] [rbp-8h]\n  int server_fd; // [rsp+3Ch] [rbp-4h]\n\n  opt = 1;\n  addrlen = 16;\n  server_fd = socket(2, 1, 0);\n  if ( !server_fd )\n  {\n    perror(\"socket failed\");\n    exit(1);\n  }\n  if ( setsockopt(server_fd, 1, 15, &opt, 4u) )\n  {\n    perror(\"setsockopt\");\n    exit(1);\n  }\n  address.sin_family = 2;\n  address.sin_addr.s_addr = 0;\n  address.sin_port = htons(0x2B00u);\n  if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 )\n  {\n    perror(\"bind failed\");\n    exit(1);\n  }\n  if ( listen(server_fd, 3) < 0 )\n  {\n    perror(\"listen\");\n    exit(1);\n  }\n  printf(\"TCP server listening on port %d\\n\", 11008);\n  new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen);\n  if ( new_socket < 0 )\n  {\n    perror(\"accept\");\n    exit(1);\n  }\n  inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u);\n  v3 = ntohs(address.sin_port);\n  printf(\"Accept %s:%d\\n\", client_addr_str, v3);\n  while ( echo_handler(new_socket) )\n    ;\n  close(new_socket);\n  return 0;\n}\n\n\n//Function: backdoor ->0x4200059 7 perm->5\nint __cdecl backdoor()\n{\n  char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF\n  char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF\n\n  new_argv[1] = 0LL;\n  new_envp[0] = \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\";\n  new_envp[1] = 0LL;\n  dup2(4, 0);\n  dup2(4, 1);\n  dup2(4, 2);\n  execve(\"/bin/sh\", new_argv, new_envp);\n  return 0;\n}\n\n\n"
-        },
-        {
-            "role": "assistant",
-            "content": "Yes, the program contains a `dprintf` format string vulnerability. The vulnerability is present in the `echo_handler` function, where the `dprintf` function is called with `buffer` as its format string argument:\n\n```c\ndprintf(sock, buffer)\n```\n\nThe `buffer` is filled with data received from the network via the `recv` function:\n\n```c\nrecv(sock, buffer, 0x100uLL, 0)\n```\n\nSince the contents of `buffer` are controlled by the network client, an attacker can send a specially crafted string containing format specifiers (e.g., `%x`, `%s`, `%n`) to exploit this vulnerability. This can lead to information disclosure, denial of service, or even arbitrary code execution, depending on the specifics of the attack and the environment in which the program is running."
-        }
     ]
 ]
\ No newline at end of file
diff --git a/src/output/edit_extract/patch_strcpy.json b/src/output/edit_extract/patch_strcpy.json
index f912773..f023b10 100644
--- a/src/output/edit_extract/patch_strcpy.json
+++ b/src/output/edit_extract/patch_strcpy.json
@@ -1148,5 +1148,23 @@
         "vul_info": [],
         "fix_size": 1035,
         "patch_info": "we need to consider the size of the destination buffer, which is `newNode->data`. However, the size of `newNode->data` is not explicitly provided in the code snippet you shared. "
+    },
+    {
+        "file_name": "edit_extract.c",
+        "vul_info": [],
+        "fix_size": 1024,
+        "patch_info": "we need to consider the size of the destination buffer where the string is being copied. In the `add` function, the destination buffer is `newNode->data`."
+    },
+    {
+        "file_name": "edit_extract.c",
+        "vul_info": [],
+        "fix_size": 1035,
+        "patch_info": "we need to consider the size of the destination buffer, which is `newNode->data`. However, the code snippet provided does not explicitly define the structure of `Node` or the size of `newNode->data`. "
+    },
+    {
+        "file_name": "edit_extract.c",
+        "vul_info": [],
+        "fix_size": 1024,
+        "patch_info": "we need to consider the size of the destination buffer where the string is being copied. In the `add` function, the destination buffer is `newNode->data`."
     }
 ]
\ No newline at end of file
diff --git a/src/output/recv_extract/patch_recv.json b/src/output/recv_extract/patch_recv.json
index 250a035..6f61531 100644
--- a/src/output/recv_extract/patch_recv.json
+++ b/src/output/recv_extract/patch_recv.json
@@ -200,5 +200,23 @@
         "vul_info": [],
         "fix_size": 256,
         "patch_info": "but `recv` is called with a size of 0x400 (1024) bytes, which can lead to a buffer overflow if more than 256 bytes are received."
+    },
+    {
+        "file_name": "recv_extract.c",
+        "vul_info": [],
+        "fix_size": 255,
+        "patch_info": "you should limit the size of data received to match the buffer size. The buffer `buffer` is declared with a size of 256 bytes. Therefore, the `recv` call should be limited to 255 bytes to leave space for the null terminator."
+    },
+    {
+        "file_name": "recv_extract.c",
+        "vul_info": [],
+        "fix_size": 256,
+        "patch_info": "you should limit the size of data received to the size of the buffer. In the `echo_handler` function, the buffer is defined as `char buffer[256];`, which means it can safely hold up to 256 bytes."
+    },
+    {
+        "file_name": "recv_extract.c",
+        "vul_info": [],
+        "fix_size": 255,
+        "patch_info": "you should limit the size of the data received by the `recv` function to the size of the buffer. The buffer is declared as `char buffer[256];`, so the maximum safe size for `recv` should be 255 bytes to leave room for the null terminator."
     }
 ]
\ No newline at end of file