From 4bebc57995bbb8c78b237f3b53e9fc738199d079 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Thu, 16 Nov 2023 16:27:58 +0100
Subject: [PATCH] ESYS: Add reference counting for Esys_TR_FromTPMPublic.

For every call of Esys_TR_FromTPMPublic the reference counter is incremented
to ensure that the created esys object is only freed by Esys_Close if
the reference count will be zero or decreased to zero.
Fixes: #2693

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 src/tss2-esys/api/Esys_FlushContext.c | 7 +++++++
 src/tss2-esys/esys_int.h              | 1 +
 src/tss2-esys/esys_tr.c               | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/src/tss2-esys/api/Esys_FlushContext.c b/src/tss2-esys/api/Esys_FlushContext.c
index 4d7dc7279..ff5e1ae02 100644
--- a/src/tss2-esys/api/Esys_FlushContext.c
+++ b/src/tss2-esys/api/Esys_FlushContext.c
@@ -184,6 +184,7 @@ Esys_FlushContext_Finish(
     ESYS_CONTEXT *esysContext)
 {
     TSS2_RC r;
+    RSRC_NODE_T *flushHandleNode;
     LOG_TRACE("context=%p",
               esysContext);
 
@@ -244,6 +245,12 @@ Esys_FlushContext_Finish(
                           "Received error from SAPI unmarshaling" );
 
     /* The ESYS_TR object has to be invalidated */
+
+    r = esys_GetResourceObject(esysContext, esysContext->in.FlushContext.flushHandle,
+                               &flushHandleNode);
+    return_state_if_error(r, _ESYS_STATE_INIT, "flushHandle unknown.");
+
+    flushHandleNode->reference_count = 0;
     r = Esys_TR_Close(esysContext, &esysContext->in.FlushContext.flushHandle);
     return_if_error(r, "invalidate object");
 
diff --git a/src/tss2-esys/esys_int.h b/src/tss2-esys/esys_int.h
index 6fbd732c1..98c4ae771 100644
--- a/src/tss2-esys/esys_int.h
+++ b/src/tss2-esys/esys_int.h
@@ -23,6 +23,7 @@ typedef struct RSRC_NODE_T {
                                      to reference this entry. */
     TPM2B_AUTH auth;            /**< The authValue for this resource object. */
     IESYS_RESOURCE rsrc;        /**< The meta data for this resource object. */
+    size_t reference_count;     /**< Reference Count for Esys_TR_FromTPMPublic */
     struct RSRC_NODE_T * next;  /**< The next object in the linked list. */
 } RSRC_NODE_T;
 
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index 8160da38f..aa5c814a2 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -313,6 +313,7 @@ Esys_TR_FromTPMPublic_Finish(ESYS_CONTEXT * esys_context, ESYS_TR * object)
         return_if_error(r, "Error TR FromTPMPublic");
         return TSS2_ESYS_RC_TRY_AGAIN;
     } else {
+        objectHandleNode->reference_count++;
         *object = objectHandle;
         return TSS2_RC_SUCCESS;
     }
@@ -425,6 +426,10 @@ Esys_TR_Close(ESYS_CONTEXT * esys_context, ESYS_TR * object)
          node != NULL;
          update_ptr = &node->next, node = node->next) {
         if (node->esys_handle == *object) {
+            if (node->reference_count > 1) {
+                node->reference_count--;
+                return TSS2_RC_SUCCESS;
+            }
             *update_ptr = node->next;
             SAFE_FREE(node);
             *object = ESYS_TR_NONE;