From 872acf6ba9ad0b5c4777601f166a917624b1a5db Mon Sep 17 00:00:00 2001
From: Toni Wilen <twilen@winuae.net>
Date: Thu, 24 Apr 2025 21:07:19 +0300
Subject: [PATCH] Slirp use after free fix

---
 slirp/tcp_input.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/slirp/tcp_input.cpp b/slirp/tcp_input.cpp
index 81edb348..24511454 100644
--- a/slirp/tcp_input.cpp
+++ b/slirp/tcp_input.cpp
@@ -243,6 +243,7 @@ void tcp_input(struct mbuf *m, int iphlen, struct socket *inso)
 	u_long tiwin;
 	int ret;
 	/* int ts_present = 0; */
+	int needfree = 0;
 
 	DEBUG_CALL("tcp_input");
 	DEBUG_ARGS((" m = %8lx  iphlen = %2d  inso = %lx\n",
@@ -1359,7 +1360,7 @@ dodata:
 		 */
 		len = so->so_rcv.sb_datalen - (tp->rcv_adv - tp->rcv_nxt);
 	} else {
-		m_free(m);
+		needfree = 1;
 		tiflags &= ~TH_FIN;
 	}
 
@@ -1445,6 +1446,9 @@ dodata:
 		((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
 		tp->t_flags |= TF_ACKNOW;
 	}
+	if (needfree) {
+		m_free(m);
+	}
 
 	/*
 	 * Return any desired output.
-- 
2.47.3