diff options
author | Jan Kiszka <jan.kiszka@siemens.com> | 2011-09-26 21:29:56 +0200 |
---|---|---|
committer | Jan Kiszka <jan.kiszka@siemens.com> | 2011-09-28 13:10:22 +0200 |
commit | 8d06d69bc448301d27cab1405efba9d876dd39da (patch) | |
tree | 6a36e6df88681f28771017333850920417645e62 /slirp/tcp_input.c | |
parent | 46f3069cba94aab44b3b4f87bc270759b4a700fa (diff) | |
download | qemu-8d06d69bc448301d27cab1405efba9d876dd39da.zip qemu-8d06d69bc448301d27cab1405efba9d876dd39da.tar.gz qemu-8d06d69bc448301d27cab1405efba9d876dd39da.tar.bz2 |
slirp: Fix use after release on tcp_input
ti points into the m buffer. But the latter may already be released
right after the dodata: label. Move the test before the potential
release.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Diffstat (limited to 'slirp/tcp_input.c')
-rw-r--r-- | slirp/tcp_input.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c index 2f1a196..942aaf4 100644 --- a/slirp/tcp_input.c +++ b/slirp/tcp_input.c @@ -1157,6 +1157,16 @@ step6: dodata: /* + * If this is a small packet, then ACK now - with Nagel + * congestion avoidance sender won't send more until + * he gets an ACK. + */ + if (ti->ti_len && (unsigned)ti->ti_len <= 5 && + ((struct tcpiphdr_2 *)ti)->first_char == (char)27) { + tp->t_flags |= TF_ACKNOW; + } + + /* * Process the segment text, merging it into the TCP sequencing queue, * and arranging for acknowledgment of receipt if necessary. * This process logically involves adjusting tp->rcv_wnd as data @@ -1235,18 +1245,6 @@ dodata: } /* - * If this is a small packet, then ACK now - with Nagel - * congestion avoidance sender won't send more until - * he gets an ACK. - * - * See above. - */ - if (ti->ti_len && (unsigned)ti->ti_len <= 5 && - ((struct tcpiphdr_2 *)ti)->first_char == (char)27) { - tp->t_flags |= TF_ACKNOW; - } - - /* * Return any desired output. */ if (needoutput || (tp->t_flags & TF_ACKNOW)) { |