slirp: Fix use after release on tcp_input

ti points into the m buffer. But the latter may already be released
right after the dodata: label. Move the test before the potential
release.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c
index 2f1a196b391d8f5a0f287088cd55c227b78b9414..942aaf44f1b9e11965c3020d014cf40327bbe5d7 100644 (file)
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -1156,6 +1156,16 @@ step6:
                        tp->rcv_up = tp->rcv_nxt;
 dodata:
 
+       /*
+        * If this is a small packet, then ACK now - with Nagel
+        *      congestion avoidance sender won't send more until
+        *      he gets an ACK.
+        */
+       if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
+           ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
+               tp->t_flags |= TF_ACKNOW;
+       }
+
        /*
         * Process the segment text, merging it into the TCP sequencing queue,
         * and arranging for acknowledgment of receipt if necessary.
@@ -1234,18 +1244,6 @@ dodata:
                }
        }
 
-       /*
-        * If this is a small packet, then ACK now - with Nagel
-        *      congestion avoidance sender won't send more until
-        *      he gets an ACK.
-        *
-        * See above.
-        */
-       if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
-           ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
-               tp->t_flags |= TF_ACKNOW;
-       }
-
        /*
         * Return any desired output.
         */