It seems 64 bits adresses must end in two null bytes. But strcpy will copy only one null byte in the entire payload.
1 Answer
You are correct. With strcpy() you can put at most one gadget.
The second null byte is often not a problem, as you often find a null byte there anyway from a previous address or integer.
If you need to put a complete ROP chain, you can check if you can trigger the bug repeatedly and fill the buffer in reverse with strings of decreasing length.
