C28750

warning C28750: Banned usage of lstrlen and its variants

This warning indicates that a function is being used that has been banned, and has better replacements.

The lstrlen function and related variations fail to transmit exceptions that occur during operation. This can cause error conditions to happen much later, potentially on a different thread, making the error conditions harder to diagnose. In addition, equivalent substitute functions can be optimized by the compiler, and avoid the performance overhead of exception handlers (_try and _except blocks).

The lstrlen function and its variants are banned because they fail to transmit exceptions. The correct mitigation is to convert them to another string length function (usually strlen, wcslen, _tcslen). However, while you review the lstrlen changes, you should confirm that the string buffer is coming from trusted code. If you are dealing with untrusted data, you should instead switch from the strlen family of functions to the strnlen family (or StringCchLength family), which will ensure they don't go past the bounds of the untrusted data block.

Unlike lstrlen, none of the replacements catch exceptions. In addition, lstrlen allows NULL pointers, so if NULL pointers are possible at that point in the code, an explicit NULL check is required when replacing lstrlen with strlen or strnlen.

APIDescription

lstrlen

Trusted data replacement options: _tcslen

Untrusted data replacement: _tcsnlen, StringCchLength

lstrlenA

Trusted data replacement options: strlen

Untrusted data replacement: strnlen, StringCchLengthA

lstrlenW

Trusted data replacement options: wcslen

Untrusted data replacement: wcsnlen, StringCchLengthW

 

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft. All rights reserved.