Fixes potential memory leaks in context methods.

Adds a private context function 'ffi_data_to_owned' that is used to
take ownership of the heap allocated data that is returned from TSS.

Fixes potential memory leaks where heap allocated data returned from
TSS might not have been freed properly.

Signed-off-by: Jesper Brynolf <[email protected]>

Author: Superhepper

tss-esapi/src/context.rs

@@ -431,6 +431,12 @@ impl Context {
                 Error::local_error(ErrorKind::MissingAuthSession)
             })
     }
+
+    /// Private function for handling that has been allocated with
+    /// C memory allocation functions in TSS.
+    fn ffi_data_to_owned<T>(data_ptr: *mut T) -> T {
+        MBox::into_inner(unsafe { MBox::from_raw(data_ptr) })
+    }
 }
 
 impl Drop for Context {

tss-esapi/src/context/general_esys_tr.rs

@@ -10,7 +10,6 @@ use crate::{
     Context, Error, Result,
 };
 use log::error;
-use mbox::MBox;
 use std::convert::TryFrom;
 use std::ptr::null_mut;
 use zeroize::Zeroize;
@@ -37,8 +36,7 @@ impl Context {
             unsafe { Esys_TR_GetName(self.mut_context(), object_handle.into(), &mut name_ptr) };
         let ret = Error::from_tss_rc(ret);
         if ret.is_success() {
-            let name = unsafe { MBox::from_raw(name_ptr) };
-            Ok(Name::try_from(*name)?)
+            Name::try_from(Context::ffi_data_to_owned(name_ptr))
         } else {
             error!("Error in getting name: {}", ret);
             Err(ret)

tss-esapi/src/context/tpm_commands/asymmetric_primitives.rs

@@ -8,7 +8,7 @@ use crate::{
     Context, Error, Result,
 };
 use log::error;
-use std::convert::{TryFrom, TryInto};
+use std::convert::TryFrom;
 use std::ptr::null_mut;
 
 impl Context {
@@ -37,8 +37,7 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let data = unsafe { PublicKeyRsa::try_from(*out_data_ptr)? };
-            Ok(data)
+            PublicKeyRsa::try_from(Context::ffi_data_to_owned(out_data_ptr))
         } else {
             error!("Error when performing RSA encryption: {}", ret);
             Err(ret)
@@ -70,8 +69,7 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let data = unsafe { PublicKeyRsa::try_from(*message_ptr)? };
-            Ok(data)
+            PublicKeyRsa::try_from(Context::ffi_data_to_owned(message_ptr))
         } else {
             error!("Error when performing RSA decryption: {}", ret);
             Err(ret)
@@ -202,12 +200,12 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            Ok(unsafe {
-                (
-                    (*z_point_ptr).point.try_into()?,
-                    (*pub_point_ptr).point.try_into()?,
-                )
-            })
+            let z_point = Context::ffi_data_to_owned(z_point_ptr);
+            let pub_point = Context::ffi_data_to_owned(pub_point_ptr);
+            Ok((
+                EccPoint::try_from(z_point.point)?,
+                EccPoint::try_from(pub_point.point)?,
+            ))
         } else {
             error!("Error when generating ECDH keypair: {}", ret);
             Err(ret)
@@ -339,7 +337,8 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            Ok(unsafe { (*out_point_ptr).point.try_into()? })
+            let out_point = Context::ffi_data_to_owned(out_point_ptr);
+            EccPoint::try_from(out_point.point)
         } else {
             error!("Error when performing ECDH ZGen: {}", ret);
             Err(ret)

tss-esapi/src/context/tpm_commands/attestation_commands.rs

@@ -7,7 +7,6 @@ use crate::{
     Context, Error, Result,
 };
 use log::error;
-use mbox::MBox;
 use std::convert::TryFrom;
 use std::ptr::null_mut;
 
@@ -142,11 +141,11 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let certify_info = unsafe { MBox::from_raw(certify_info_ptr) };
-            let signature = unsafe { MBox::from_raw(signature_ptr) };
+            let certify_info = Context::ffi_data_to_owned(certify_info_ptr);
+            let signature = Context::ffi_data_to_owned(signature_ptr);
             Ok((
-                Attest::try_from(AttestBuffer::try_from(*certify_info)?)?,
-                Signature::try_from(*signature)?,
+                Attest::try_from(AttestBuffer::try_from(certify_info)?)?,
+                Signature::try_from(signature)?,
             ))
         } else {
             error!("Error in certifying: {}", ret);
@@ -186,11 +185,11 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let quoted = unsafe { MBox::from_raw(quoted_ptr) };
-            let signature = unsafe { MBox::from_raw(signature_ptr) };
+            let quoted = Context::ffi_data_to_owned(quoted_ptr);
+            let signature = Context::ffi_data_to_owned(signature_ptr);
             Ok((
-                Attest::try_from(AttestBuffer::try_from(*quoted)?)?,
-                Signature::try_from(*signature)?,
+                Attest::try_from(AttestBuffer::try_from(quoted)?)?,
+                Signature::try_from(signature)?,
             ))
         } else {
             error!("Error in quoting PCR: {}", ret);

tss-esapi/src/context/tpm_commands/capability_commands.rs

@@ -8,7 +8,6 @@ use crate::{
     Context, Error, Result,
 };
 use log::{error, warn};
-use mbox::MBox;
 use std::convert::TryFrom;
 use std::ptr::null_mut;
 
@@ -66,9 +65,10 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let capability_data = unsafe { MBox::from_raw(capability_data_ptr) };
-            let capabilities = CapabilityData::try_from(*capability_data)?;
-            Ok((capabilities, YesNo::try_from(more_data)?.into()))
+            Ok((
+                CapabilityData::try_from(Context::ffi_data_to_owned(capability_data_ptr))?,
+                YesNo::try_from(more_data)?.into(),
+            ))
         } else {
             error!("Error when getting capabilities: {}", ret);
             Err(ret)

tss-esapi/src/context/tpm_commands/context_management.rs

@@ -9,8 +9,7 @@ use crate::{
     Context, Error, Result,
 };
 use log::error;
-use mbox::MBox;
-use std::convert::TryInto;
+use std::convert::{TryFrom, TryInto};
 use std::ptr::null_mut;
 
 impl Context {
@@ -24,8 +23,7 @@ impl Context {
         let ret = unsafe { Esys_ContextSave(self.mut_context(), handle.into(), &mut context_ptr) };
         let ret = Error::from_tss_rc(ret);
         if ret.is_success() {
-            let context = unsafe { MBox::from_raw(context_ptr) };
-            Ok((*context).try_into()?)
+            TpmsContext::try_from(Context::ffi_data_to_owned(context_ptr))
         } else {
             error!("Error in saving context: {}", ret);
             Err(ret)

tss-esapi/src/context/tpm_commands/duplication_commands.rs

@@ -323,10 +323,11 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let encryption_key_out = unsafe { Data::try_from(*encryption_key_out_ptr)? };
-            let duplicate = unsafe { Private::try_from(*duplicate_ptr)? };
-            let out_sym_seed = unsafe { EncryptedSecret::try_from(*out_sym_seed_ptr)? };
-            Ok((encryption_key_out, duplicate, out_sym_seed))
+            Ok((
+                Data::try_from(Context::ffi_data_to_owned(encryption_key_out_ptr))?,
+                Private::try_from(Context::ffi_data_to_owned(duplicate_ptr))?,
+                EncryptedSecret::try_from(Context::ffi_data_to_owned(out_sym_seed_ptr))?,
+            ))
         } else {
             error!("Error when performing duplication: {}", ret);
             Err(ret)
@@ -681,7 +682,7 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            Ok(unsafe { Private::try_from(*out_private_ptr)? })
+            Private::try_from(Context::ffi_data_to_owned(out_private_ptr))
         } else {
             error!("Error when performing import: {}", ret);
             Err(ret)

tss-esapi/src/context/tpm_commands/enhanced_authorization_ea_commands.rs

@@ -19,7 +19,6 @@ use crate::{
     Context, Error, Result, WrapperErrorKind as ErrorKind,
 };
 use log::error;
-use mbox::MBox;
 use std::convert::{TryFrom, TryInto};
 use std::ptr::null_mut;
 use std::time::Duration;
@@ -61,12 +60,10 @@ impl Context {
         };
         let ret = Error::from_tss_rc(ret);
         if ret.is_success() {
-            let out_timeout = unsafe { MBox::from_raw(out_timeout_ptr) };
-            let out_timeout = Timeout::try_from(*out_timeout)?;
-            let out_policy_ticket = unsafe { MBox::from_raw(out_policy_ticket_ptr) };
-            let out_policy_ticket = AuthTicket::try_from(*out_policy_ticket)?;
-
-            Ok((out_timeout, out_policy_ticket))
+            Ok((
+                Timeout::try_from(Context::ffi_data_to_owned(out_timeout_ptr))?,
+                AuthTicket::try_from(Context::ffi_data_to_owned(out_policy_ticket_ptr))?,
+            ))
         } else {
             error!("Error when sending policy signed: {}", ret);
             Err(ret)
@@ -106,12 +103,10 @@ impl Context {
         };
         let ret = Error::from_tss_rc(ret);
         if ret.is_success() {
-            let out_timeout = unsafe { MBox::from_raw(out_timeout_ptr) };
-            let out_timeout = Timeout::try_from(*out_timeout)?;
-            let out_policy_ticket = unsafe { MBox::from_raw(out_policy_ticket_ptr) };
-            let out_policy_ticket = AuthTicket::try_from(*out_policy_ticket)?;
-
-            Ok((out_timeout, out_policy_ticket))
+            Ok((
+                Timeout::try_from(Context::ffi_data_to_owned(out_timeout_ptr))?,
+                AuthTicket::try_from(Context::ffi_data_to_owned(out_policy_ticket_ptr))?,
+            ))
         } else {
             error!("Error when sending policy secret: {}", ret);
             Err(ret)
@@ -546,8 +541,7 @@ impl Context {
         };
         let ret = Error::from_tss_rc(ret);
         if ret.is_success() {
-            let policy_digest = unsafe { MBox::from_raw(policy_digest_ptr) };
-            Ok(Digest::try_from(*policy_digest)?)
+            Digest::try_from(Context::ffi_data_to_owned(policy_digest_ptr))
         } else {
             error!(
                 "Error failed to perform policy get digest operation: {}.",

tss-esapi/src/context/tpm_commands/hierarchy_commands.rs

@@ -15,7 +15,6 @@ use crate::{
     Context, Error, Result,
 };
 use log::error;
-use mbox::MBox;
 use std::convert::{TryFrom, TryInto};
 use std::ptr::null_mut;
 
@@ -77,20 +76,20 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let out_public_owned = unsafe { MBox::from_raw(out_public_ptr) };
-            let creation_data_owned = unsafe { MBox::from_raw(creation_data_ptr) };
-            let creation_hash_owned = unsafe { MBox::from_raw(creation_hash_ptr) };
-            let creation_ticket_owned = unsafe { MBox::from_raw(creation_ticket_ptr) };
-
+            let out_public_owned = Context::ffi_data_to_owned(out_public_ptr);
+            let creation_data_owned = Context::ffi_data_to_owned(creation_data_ptr);
+            let creation_hash_owned = Context::ffi_data_to_owned(creation_hash_ptr);
+            let creation_ticket_owned = Context::ffi_data_to_owned(creation_ticket_ptr);
             let primary_key_handle = KeyHandle::from(object_handle);
             self.handle_manager
                 .add_handle(primary_key_handle.into(), HandleDropAction::Flush)?;
+
             Ok(CreatePrimaryKeyResult {
                 key_handle: primary_key_handle,
-                out_public: Public::try_from(*out_public_owned)?,
-                creation_data: CreationData::try_from(*creation_data_owned)?,
-                creation_hash: Digest::try_from(*creation_hash_owned)?,
-                creation_ticket: CreationTicket::try_from(*creation_ticket_owned)?,
+                out_public: Public::try_from(out_public_owned)?,
+                creation_data: CreationData::try_from(creation_data_owned)?,
+                creation_hash: Digest::try_from(creation_hash_owned)?,
+                creation_ticket: CreationTicket::try_from(creation_ticket_owned)?,
             })
         } else {
             error!("Error in creating primary key: {}", ret);

tss-esapi/src/context/tpm_commands/integrity_collection_pcr.rs

@@ -7,7 +7,6 @@ use crate::{
     Context, Error, Result,
 };
 use log::error;
-use mbox::MBox;
 use std::convert::{TryFrom, TryInto};
 use std::ptr::null_mut;
 
@@ -174,12 +173,10 @@ impl Context {
         let ret = Error::from_tss_rc(ret);
 
         if ret.is_success() {
-            let pcr_selection_out = unsafe { MBox::from_raw(pcr_selection_out_ptr) };
-            let pcr_values = unsafe { MBox::from_raw(pcr_values_ptr) };
             Ok((
                 pcr_update_counter,
-                PcrSelectionList::try_from(*pcr_selection_out)?,
-                DigestList::try_from(*pcr_values)?,
+                PcrSelectionList::try_from(Context::ffi_data_to_owned(pcr_selection_out_ptr))?,
+                DigestList::try_from(Context::ffi_data_to_owned(pcr_values_ptr))?,
             ))
         } else {
             error!("Error when reading PCR: {}", ret);