From: Toni Wilen <twilen@winuae.net>
Date: Thu, 24 Apr 2025 18:07:19 +0000 (+0300)
Subject: Slirp use after free fix
X-Git-Url: https://git.unchartedbackwaters.co.uk/w/?a=commitdiff_plain;h=872acf6ba9ad0b5c4777601f166a917624b1a5db;p=francis%2Fwinuae.git

Slirp use after free fix
---

diff --git a/slirp/tcp_input.cpp b/slirp/tcp_input.cpp
index 81edb348..24511454 100644
--- a/slirp/tcp_input.cpp
+++ b/slirp/tcp_input.cpp
@@ -243,6 +243,7 @@ void tcp_input(struct mbuf *m, int iphlen, struct socket *inso)
 	u_long tiwin;
 	int ret;
 	/* int ts_present = 0; */
+	int needfree = 0;
 
 	DEBUG_CALL("tcp_input");
 	DEBUG_ARGS((" m = %8lx  iphlen = %2d  inso = %lx\n",
@@ -1359,7 +1360,7 @@ dodata:
 		 */
 		len = so->so_rcv.sb_datalen - (tp->rcv_adv - tp->rcv_nxt);
 	} else {
-		m_free(m);
+		needfree = 1;
 		tiflags &= ~TH_FIN;
 	}
 
@@ -1445,6 +1446,9 @@ dodata:
 		((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
 		tp->t_flags |= TF_ACKNOW;
 	}
+	if (needfree) {
+		m_free(m);
+	}
 
 	/*
 	 * Return any desired output.