What does _CRT_SECURE_NO_WARNINGS actually mean?

Question

I've been getting this C4996 error in visual studio as a result of using the scanf() function.

It turned out that the solution to this problem is adding the line _CRT_SECURE_NO_WARNINGS to Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions -> Edit.

It fixed the problem perfectly, but I could not find a proper explanation of the actual meaning of this thing. If it disables warnings, why did my program crash at first place? What is "CRT"?

An example of a crashing program:

#include <stdio.h>
main()
{
    int number;
    printf("enter a number\n");
    scanf("%d", &number);
}

And the error message:

CRT is the C Run Time library. `_CRT_SECURE_NO_WARNINGS` means you don't want the compiler to suggest the secure versions of the library functions, e.g. `scanf_s` when you use `scanf`. — user3386109, Jan 16 '20 at 18:57
See https://stackoverflow.com/questions/2430303/disadvantages-of-scanf — jamieguinan, Jan 16 '20 at 18:58
MSVC wants you to use its own supposedly more secure versions of functions such as `scanf` by using their `scanf_s` etc. But they are just as tricky to use, and they are not a direct replacement (their arguments are different), so arguably they are no safer. And they are non-standard. That definition suppresses the compiler "warnings". — Weather Vane, Jan 16 '20 at 18:59
scanf [is risky](https://en.wikipedia.org/wiki/Scanf_format_string#Vulnerabilities). MSVC prefers you use the alternative offered by the C11 Annex K standard. The arguments are the same and it is safer by demanding that the formatting string specifies buffer sizes. And a standard, albeit that libraries writers are permitted to ignore it. They didn't, their library has been subjected to attacks for a long time. — Hans Passant, Jan 16 '20 at 19:14
@HansPassant the [MS version](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/scanf-s-scanf-s-l-wscanf-s-wscanf-s-l?view=vs-2019) arguments are **not** the same. *"Unlike `scanf` ... `scanf_s` ... requires the buffer size to be specified for all input parameters of type c, C, s, S, or string control sets that are enclosed in []. The buffer size in characters is passed as an additional parameter immediately following the pointer to the buffer or variable."* The buffer sizes are not in the formatting string. — Weather Vane, Jan 16 '20 at 19:35
@HansPassant `scanf` is not riskier than the rest of C: That is, it is totally safe when used properly. In fact, if you use constant format strings and length specifiers for your strings and don't use %n it is probably *safer* than the rest of C. — Peter - Reinstate Monica, Jan 16 '20 at 19:39

score 4 · Answer 1 · answered May 17 '22 at 04:04

CRT is the C Runtime Library in Windows which provides you with functions like scanf, On Linux it is done by GNU LibC (GLibc).

As @jamieguinan pointed out scanf has some security flaws like Buffer Overflow in which the user provided input could be bigger than the size of the buffer causing it to overwrite in some other memory.

And this is the reason why Visual Studio is warning you to use scanf_s which is a safer version of scanf.

You can put this pre-processor defination in your code to disable this warning:

#define _CRT_SECURE_NO_WARNINGS

Tho it is not necessary if you really know what you are doing.

What does _CRT_SECURE_NO_WARNINGS actually mean?

1 Answers1