Table of contents
Collapse the table of content
Expand the table of content


Last Updated: 11/22/2016

warning C28750: Banned usage of lstrlen and its variants

This warning indicates that a function is being used that has been banned, and has better replacements.

The lstrlen function and related variations fail to transmit exceptions that occur during operation. This can cause error conditions to happen much later, potentially on a different thread, making the error conditions harder to diagnose. In addition, equivalent substitute functions can be optimized by the compiler, and avoid the performance overhead of exception handlers (_try and _except blocks).

The lstrlen function and its variants are banned because they fail to transmit exceptions. The correct mitigation is to convert them to another string length function (usually strlen, wcslen, _tcslen). However, while you review the lstrlen changes, you should confirm that the string buffer is coming from trusted code. If you are dealing with untrusted data, you should instead switch from the strlen family of functions to the strnlen family (or StringCchLength family), which will ensure they don't go past the bounds of the untrusted data block.

Unlike lstrlen, none of the replacements catch exceptions. In addition, lstrlen allows NULL pointers, so if NULL pointers are possible at that point in the code, an explicit NULL check is required when replacing lstrlen with strlen or strnlen.



Trusted data replacement options: _tcslen

Untrusted data replacement: _tcsnlen, StringCchLength


Trusted data replacement options: strlen

Untrusted data replacement: strnlen, StringCchLengthA


Trusted data replacement options: wcslen

Untrusted data replacement: wcsnlen, StringCchLengthW

Send comments about this topic to Microsoft

© 2017 Microsoft