[Owasp-esapi-c++] Test Suite and Valgrind

Dave Wichers dave.wichers at owasp.org
Fri Apr 9 21:47:08 EDT 2004

Regarding trying to buy Purify. The contract we are using does not allow us
to purchase software like this. I've asked our customer to see if they have
anyone internal that has a copy and could run Purify on the code we are
developing. Our POC is still researching.

Does anyone on this list have access to a Purify license that they could use
to do this for us?

Thanks, Dave

-----Original Message-----
From: owasp-esapi-c++-bounces at lists.owasp.org
[mailto:owasp-esapi-c++-bounces at lists.owasp.org] On Behalf Of Daniel Amodio
Sent: Tuesday, August 23, 2011 6:06 AM
To: noloader at gmail.com; kevin.w.wall at gmail.com
Cc: owasp-esapi-c++ at lists.owasp.org
Subject: Re: [Owasp-esapi-c++] Test Suite and Valgrind

This raises some interesting concerns, however.
If we can verify that some issues do exist by either cross scanning, or
manually checking a couple... we should at least report our findings.

Could end up being a sink for lots of apps that use it if this is the case.

Sent from my Verizon Wireless Phone

----- Reply message -----
From: "Jeffrey Walton" <noloader at gmail.com>
Date: Tue, Aug 23, 2011 2:13 am
Subject: [Owasp-esapi-c++] Test Suite and Valgrind
To: "Kevin W. Wall" <kevin.w.wall at gmail.com>
Cc: "ESAPI C++ List" <owasp-esapi-c++ at lists.owasp.org>

On Tue, Aug 23, 2011 at 1:20 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
> Jeff Walton wrote:
>> Kevin Wall wrote:
>>> If you really want to know how to handle the valgrind issues, I'd 
>>> suggest a post to the Boost and valgrind forums.
>> http://lists.boost.org/boost-users/2011/08/70235.php
> Perhaps a better question is, if valgrind has this many complaints 
> about the Boost libraries (or is this only about Boost::Test?), can we 
> really trust it to NOT have memory leaks?
Its an open question. Does someone have another tool (perhaps purify) that
can be used to cross validate valgrind results?

> Because, if it does, maybe we should rethink about using it, or 
> perhaps divert some effort into fixing the Boost libraries.
Hmmmm... Splitting sources is asking for trouble (ie, our 'fixed'
version versus boost's problematic sources). Plus, the fixes probably won't
find their way to my Ubuntu 10 or Fedora 14 systems through Canonical or Red
Hat. (Assuming there are some legitimate squawks).

Boost has a lot of Fan Boys. My feeling is they should fix their own mess. I
know I'm being a bit harsh, but I've been down this road with other FOSS
projects. I have found they want to write slick-ass, l33t, K&R code like the
kernel hackers*. You can't tell these folks to validate all parameters
before use, to use tools to locate mistakes (ie, -Wall -Wextra and
Valgrind), to use debug instrumentation to find the point of first failure
quickly, etc.

> If Boost has memory leaks that can be exploited, it can be used to 
> attack apps that are using ESAPI for C++ and there's very little we 
> can do about that.
Yes. I kind of had tunnel vision - I was more concerned with our gear.
But you are right.


* Look at all the Comp Sci 101 mistakes from the l33t:
http://www.ubuntu.com/usn/usn-1189-1/. Its amazing they still don't
initialize their data structures properly and fully validate parameters.
Owasp-esapi-c++ mailing list
Owasp-esapi-c++ at lists.owasp.org
Owasp-esapi-c++ mailing list
Owasp-esapi-c++ at lists.owasp.org

More information about the Owasp-esapi-c++ mailing list