We were doing some code reviews on the new Win7 SDK samples the other day and one of the code reviewers noticed that the code used wcslen to compute the length of a string.
He pointed out that the SDL Banned API page calls out strlen/wcslen as being banned APIs:
For critical functions, such as those accepting anonymous Internet connections, strlen must also be replaced:
Table 19. Banned string length functions and replacements
Banned APIs StrSafe Replacement Safe CRT Replacement strlen, wcslen, _mbslen, _mbstrlen, StrLen, lstrlen String*Length strnlen_s
I was quite surprised to see this, since I’m not aware of any issues where the use of strlen/wcslen could cause security bugs.
I asked Michael Howard about this and his response was that Table 19 has a typo – the word “server” is missing in the text, it should be “For critical server functions, such as those accepting anonymous Internet connections, strlen must also be replaced”.
Adding that one word makes all the difference. And it makes sense – if you’re a server and accepting anonymous data over the internet, an attacker could cause you to crash by issuing a non null terminated string that was long enough – banning the API forces the developer to think about the length of the string.
Somewhat OT, but I also think that the table is poorly formatted – the “For critical…” text should be AFTER the table title – the way the text is written, it appears to be a part of the previous section instead of being attached as explanatory text on Table 19 (but that’s just the editor in me).
Apparently in SDL v5.0 (which hasn’t yet shipped) the *len functions are removed from the banned API list entirely.