slirp: Fix use after release on tcp_input

ti points into the m buffer. But the latter may already be released
right after the dodata: label. Move the test before the potential
release.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

1 files changed, 10 insertions, 12 deletions

diff --git a/tcp_input.c b/tcp_input.c
index da98de7..190a135 100644
--- a/tcp_input.c
+++ b/tcp_input.c
@@ -1151,6 +1151,16 @@ step6:
 dodata:
 
     /*
+     * If this is a small packet, then ACK now - with Nagel
+     *      congestion avoidance sender won't send more until
+     *      he gets an ACK.
+     */
+    if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
+        ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
+        tp->t_flags |= TF_ACKNOW;
+    }
+
+    /*
      * Process the segment text, merging it into the TCP sequencing queue,
      * and arranging for acknowledgment of receipt if necessary.
      * This process logically involves adjusting tp->rcv_wnd as data
@@ -1228,18 +1238,6 @@ dodata:
     }
 
     /*
-     * If this is a small packet, then ACK now - with Nagel
-     *      congestion avoidance sender won't send more until
-     *      he gets an ACK.
-     *
-     * See above.
-     */
-    if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
-        ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
-        tp->t_flags |= TF_ACKNOW;
-    }
-
-    /*
      * Return any desired output.
      */
     if (needoutput || (tp->t_flags & TF_ACKNOW)) {