From 139944a3acb0fce815e6eca892cf3a4c4261c6f6 Mon Sep 17 00:00:00 2001
From: jifl <jifl>
Date: Tue, 24 Jun 2008 15:46:38 +0000
Subject: [PATCH]   * tcp_in.c: Fix for bug #23693 as suggested by Art R.
 Ensure cseg is unused     if tcp_seg_copy fails.

---
 CHANGELOG         |  5 +++++
 src/core/tcp_in.c | 16 ++++++++--------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0b0dd39a..c5c79f88 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -35,6 +35,11 @@ HISTORY
 
 
   ++ Bugfixes:
+
+  2008-06-24 Jonathan Larmour
+  * tcp_in.c: Fix for bug #23693 as suggested by Art R. Ensure cseg is unused
+    if tcp_seg_copy fails.
+
   2008-06-17 Simon Goldschmidt
   * inet_chksum.c: Checked in some ideas of patch #6460 (loop optimizations)
     and created defines for swapping bytes and folding u32 to u16.
diff --git a/src/core/tcp_in.c b/src/core/tcp_in.c
index 498c4e5c..070ec7f4 100644
--- a/src/core/tcp_in.c
+++ b/src/core/tcp_in.c
@@ -1195,14 +1195,14 @@ tcp_receive(struct tcp_pcb *pcb)
                   } else {
                     pcb->ooseq = cseg;
                   }
-                }
-                tcp_seg_free(next);
-                if (cseg->next != NULL) {
-                  next = cseg->next;
-                  if (TCP_SEQ_GT(seqno + cseg->len, next->tcphdr->seqno)) {
-                    /* We need to trim the incoming segment. */
-                    cseg->len = (u16_t)(next->tcphdr->seqno - seqno);
-                    pbuf_realloc(cseg->p, cseg->len);
+                  tcp_seg_free(next);
+                  if (cseg->next != NULL) {
+                    next = cseg->next;
+                    if (TCP_SEQ_GT(seqno + cseg->len, next->tcphdr->seqno)) {
+                      /* We need to trim the incoming segment. */
+                      cseg->len = (u16_t)(next->tcphdr->seqno - seqno);
+                      pbuf_realloc(cseg->p, cseg->len);
+                    }
                   }
                 }
                 break;