slirp: Fix use after release on tcp_input

ti points into the m buffer. But the latter may already be released right after the dodata: label. Move the test before the potential release. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com>

slirp: Fix use after release on tcp_input
ti points into the m buffer. But the latter may already be released right after the dodata: label. Move the test before the potential release. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com>
8d06d69b · Jan Kiszka · 46f3069c · 8d06d69b
隐藏空白更改
内联并排

Showing with 10 addition and 12 deletion

slirp/tcp_input.c slirp/tcp_input.c +10 -12

未找到文件。
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -1156,6 +1156,16 @@ step6:
 			tp->rcv_up = tp->rcv_nxt;
 dodata:

+	/*
+	 * If this is a small packet, then ACK now - with Nagel
+	 *      congestion avoidance sender won't send more until
+	 *      he gets an ACK.
+	 */
+	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
+	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
+		tp->t_flags |= TF_ACKNOW;
+	}
+
 	/*
 	 * Process the segment text, merging it into the TCP sequencing queue,
 	 * and arranging for acknowledgment of receipt if necessary.
@@ -1234,18 +1244,6 @@ dodata:
 		}
 	}

-	/*
-	 * If this is a small packet, then ACK now - with Nagel
-	 *      congestion avoidance sender won't send more until
-	 *      he gets an ACK.
-	 *
-	 * See above.
-	 */
-	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
-	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
-		tp->t_flags |= TF_ACKNOW;
-	}
-
 	/*
 	 * Return any desired output.
 	 */