Slirp use after free fix

author Toni Wilen <twilen@winuae.net>

Thu, 24 Apr 2025 18:07:19 +0000 (21:07 +0300)

committer Toni Wilen <twilen@winuae.net>

Thu, 24 Apr 2025 18:07:19 +0000 (21:07 +0300)
author Toni Wilen <twilen@winuae.net>
Thu, 24 Apr 2025 18:07:19 +0000 (21:07 +0300)
committer Toni Wilen <twilen@winuae.net>
Thu, 24 Apr 2025 18:07:19 +0000 (21:07 +0300)
diff --git a/slirp/tcp_input.cpp b/slirp/tcp_input.cpp

index 81edb3488c42c6f673d74b118044935435a039df..24511454b545de44198082f68887e37a93caa222 100644 (file)
--- a/slirp/tcp_input.cpp
+++ b/slirp/tcp_input.cpp
@@ -243,6 +243,7 @@ void tcp_input(struct mbuf *m, int iphlen, struct socket *inso)
         u_long tiwin;
         int ret;
         /* int ts_present = 0; */
+       int needfree = 0;
  
         DEBUG_CALL("tcp_input");
         DEBUG_ARGS((" m = %8lx  iphlen = %2d  inso = %lx\n",
@@ -1359,7 +1360,7 @@ dodata:
                  */
                 len = so->so_rcv.sb_datalen - (tp->rcv_adv - tp->rcv_nxt);
         } else {
-               m_free(m);
+               needfree = 1;
                 tiflags &= ~TH_FIN;
         }
  
@@ -1445,6 +1446,9 @@ dodata:
                 ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
                 tp->t_flags |= TF_ACKNOW;
         }
+       if (needfree) {
+               m_free(m);
+       }
  
         /*
          * Return any desired output.
author	Toni Wilen <twilen@winuae.net>
	Thu, 24 Apr 2025 18:07:19 +0000 (21:07 +0300)
committer	Toni Wilen <twilen@winuae.net>
	Thu, 24 Apr 2025 18:07:19 +0000 (21:07 +0300)