From 8d06d69bc448301d27cab1405efba9d876dd39da Mon Sep 17 00:00:00 2001
From: Jan Kiszka <jan.kiszka@siemens.com>
Date: Mon, 26 Sep 2011 21:29:56 +0200
Subject: [PATCH 1/2] slirp: Fix use after release on tcp_input

ti points into the m buffer. But the latter may already be released
right after the dodata: label. Move the test before the potential
release.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 slirp/tcp_input.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c
index 2f1a196b39..942aaf44f1 100644
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -1156,6 +1156,16 @@ step6:
 			tp->rcv_up = tp->rcv_nxt;
 dodata:
 
+	/*
+	 * If this is a small packet, then ACK now - with Nagel
+	 *      congestion avoidance sender won't send more until
+	 *      he gets an ACK.
+	 */
+	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
+	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
+		tp->t_flags |= TF_ACKNOW;
+	}
+
 	/*
 	 * Process the segment text, merging it into the TCP sequencing queue,
 	 * and arranging for acknowledgment of receipt if necessary.
@@ -1234,18 +1244,6 @@ dodata:
 		}
 	}
 
-	/*
-	 * If this is a small packet, then ACK now - with Nagel
-	 *      congestion avoidance sender won't send more until
-	 *      he gets an ACK.
-	 *
-	 * See above.
-	 */
-	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
-	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
-		tp->t_flags |= TF_ACKNOW;
-	}
-
 	/*
 	 * Return any desired output.
 	 */

From 2b4404326598bec4cb954bfc54fc5e9740a51f7b Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@linux.vnet.ibm.com>
Date: Tue, 27 Sep 2011 11:20:38 +0200
Subject: [PATCH 2/2] slirp: Fix packet expiration

The two new variables "arp_requested" and "expiration_date" in the mbuf
structure have been added after the variable-sized "m_dat_" array. The
variables have to be added before the m_dat_ array instead.
Without this patch, the expiration_date gets clobbered by code that
accesses the m_dat_ array.
I experienced this problem with the code in slirp/tftp.c: The
tftp_send_data() function created a new packet with the m_get()
function (which fills-in a default expiration_date value). Then the
TFTP code cleared the data section of the packet, which accidentially
also cleared the expiration_date. This zeroed expiration_date then
finally causes the packet to be discarded during if_start(), so that
TFTP packets were not transmitted anymore.

[Jan: added comment as suggested by Fabien ]

CC: Fabien Chouteau <chouteau@adacore.com>
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 slirp/mbuf.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index 55170e517b..0708840f04 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -82,12 +82,13 @@ struct m_hdr {
 struct mbuf {
 	struct	m_hdr m_hdr;
 	Slirp *slirp;
+	bool	arp_requested;
+	uint64_t expiration_date;
+	/* start of dynamic buffer area, must be last element */
 	union M_dat {
 		char	m_dat_[1]; /* ANSI don't like 0 sized arrays */
 		char	*m_ext_;
 	} M_dat;
-    bool     arp_requested;
-    uint64_t expiration_date;
 };
 
 #define m_next		m_hdr.mh_next