This documentation is archived and is not being maintained.


Visual Studio .NET 2003

Registers a security error handler.

_secerr_handler_func _set_security_error_handler(


A security error handler function.


_set_security_error_handler lets you customize the response to a buffer overrun. Reporting buffer overrun conditions is enabled with /GS. _set_security_error_handler registers a security error handler, which should report the failure. A program compiled with /GS that overruns a buffer and does not define a custom handler failure handler will display a message box.

The parameter _secerr_handler_func is the typedef for security error handler functions, and is defined thus:

typedef void (__cdecl * _secerr_handler_func)(int, void *);

The error handler takes two parameters: the first is a code for the kind of failure; the second is a generic pointer to data, the meaning of which depends on the failure code.

The only security failure code available is _SECERR_BUFFER_OVERRUN, and the extra data is unused, and should always be NULL.

A user-written security handler should not try to throw or raise any sort of exception. If the return address is corrupted, any exception handler pointer in the same function is also probably corrupted, so trying to issue an exception will open the application to a security violation similar to a buffer overrun.

After handling a buffer overrun, you should terminate the thread or exit the process because the thread's stack is corrupted.

There is a single _set_security_error_handler handler for all dynamically linked DLLs or EXEs; even if you call _set_security_error_handler your handler may be replaced by another or that you are replacing a handler set by another DLL or EXE.


Routine Required header Compatibility
_set_security_error_handler <stdlib.h> Win 98, Win Me, Win NT, Win 2000, Win XP

For additional compatibility information, see Compatibility in the Introduction.


All versions of the C run-time libraries.


This sample demonstrates buffer overrun detection with user's security handler installed. The program will print a message to standard output and then exit.

// crt_set_security_error_handler.c
// compile with: /GS
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void __cdecl report_failure(int code, void * unused)
      printf("Buffer overrun detected! Program will end.\n");

void vulnerable(const char *str)
   char buffer[10];
   strcpy(buffer, str); // overrun buffer !!!

int main()
   char large_buffer[] = "This string is longer than 10 characters!!!";


Buffer overrun detected! Program will end.

See Also

Debug Routines | Run-Time Routines and .NET Framework Equivalents