Why this matters
The bug. buf.as_ptr() borrows the Vec's buffer without taking ownership. As soon as checkout returns, buf is dropped and its heap allocation is freed. The caller now holds a dangling pointer. Worse, if the C side later calls free on it, the allocator's free list is corrupted.
The fix. To hand ownership across an FFI boundary you have to *leak* the allocation so Rust stops tracking it. Box::into_raw(buf.into_boxed_slice()) shrinks-to-fit (so the allocation matches what C will free) and returns a raw pointer Rust will not drop. Vec::leak(buf) is the modern stdlib equivalent.
Why this is in the deck. It's the canonical FFI-boundary bug. The leak is *intentional* — the alternative (return a borrow) is undefined behavior.
Review heuristic
Every long-lived collection (cache, registry, event bus, observer list) needs an eviction or unsubscribe path that fires deterministically. "It'll get GC'd" is true for the value but not for the reference holding it.
External reference: CWE-401: Missing Release of Memory after Effective Lifetime.