Patchwork [1/2] slirp: Fix use after release on tcp_input

login
register
mail settings
Submitter Jan Kiszka
Date Sept. 28, 2011, 11:12 a.m.
Message ID <8d06d69bc448301d27cab1405efba9d876dd39da.1317208328.git.jan.kiszka@siemens.com>
Download mbox | patch
Permalink /patch/116757/
State New
Headers show

Comments

Jan Kiszka - Sept. 28, 2011, 11:12 a.m.
ti points into the m buffer. But the latter may already be released
right after the dodata: label. Move the test before the potential
release.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 slirp/tcp_input.c |   22 ++++++++++------------
 1 files changed, 10 insertions(+), 12 deletions(-)

Patch

diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c
index 2f1a196..942aaf4 100644
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -1157,6 +1157,16 @@  step6:
 dodata:
 
 	/*
+	 * If this is a small packet, then ACK now - with Nagel
+	 *      congestion avoidance sender won't send more until
+	 *      he gets an ACK.
+	 */
+	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
+	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
+		tp->t_flags |= TF_ACKNOW;
+	}
+
+	/*
 	 * Process the segment text, merging it into the TCP sequencing queue,
 	 * and arranging for acknowledgment of receipt if necessary.
 	 * This process logically involves adjusting tp->rcv_wnd as data
@@ -1235,18 +1245,6 @@  dodata:
 	}
 
 	/*
-	 * If this is a small packet, then ACK now - with Nagel
-	 *      congestion avoidance sender won't send more until
-	 *      he gets an ACK.
-	 *
-	 * See above.
-	 */
-	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
-	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
-		tp->t_flags |= TF_ACKNOW;
-	}
-
-	/*
 	 * Return any desired output.
 	 */
 	if (needoutput || (tp->t_flags & TF_ACKNOW)) {