libslirp: fix NULL pointer dereference in tcp_sockclosed

qemu crashes with a segfault (NULL pointer access in tcp_sockclosed),
tp = tcp_close(tp) will free tp and set tp to NULL, then tcp_output(tp)
access the null pointer(tp).

This fixes:
    384        break;
    385    }
       CID 68914397: (NULL_RETURNS)
       386. dereference: Dereferencing a pointer that might be "NULL"
       "tp" when calling "tcp_output".
    386    tcp_output(tp);
    387}

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: PanNengyuan <pannengyuan@huawei.com>
Message-Id: <1574644852-24440-1-git-send-email-pannengyuan@huawei.com>

Fixes: 804f441a9d6998a57040bf36685a17a6436b2ea8
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index 2e32cb6..063eff2 100644
--- a/src/tcp_subr.c
+++ b/src/tcp_subr.c
@@ -377,8 +377,8 @@ void tcp_sockclosed(struct tcpcb *tp)
     case TCPS_LISTEN:
     case TCPS_SYN_SENT:
         tp->t_state = TCPS_CLOSED;
-        tp = tcp_close(tp);
-        break;
+        tcp_close(tp);
+        return;
 
     case TCPS_SYN_RECEIVED:
     case TCPS_ESTABLISHED: