Dangling inseg.p pointer fix by Pedro Alves.

src/core/tcp_in.c

@@ -3,10 +3,10 @@
  *
  * Transmission Control Protocol, incoming traffic
  *
- * The input processing functions of TCP.
+ * The input processing functions of the TCP layer.
  *
- * These functions are generally called in the order (ip_input() ->) tcp_input() ->
+ * These functions are generally called in the order (ip_input() ->)
- * tcp_process() -> tcp_receive() (-> application).
+ * tcp_input() -> * tcp_process() -> tcp_receive() (-> application).
  * 
  */
 
@@ -80,7 +80,6 @@ static void tcp_parseopt(struct tcp_pcb *pcb);
 static err_t tcp_listen_input(struct tcp_pcb_listen *pcb);
 static err_t tcp_timewait_input(struct tcp_pcb *pcb);
 
-
 /* tcp_input:
  *
  * The initial input processing of TCP. It verifies the TCP header, demultiplexes
@@ -191,7 +190,6 @@ tcp_input(struct pbuf *p, struct netif *inp)
   if (pcb == NULL) {
     /* If it did not go to an active connection, we check the connections
        in the TIME-WAIT state. */
-
     for(pcb = tcp_tw_pcbs; pcb != NULL; pcb = pcb->next) {
       LWIP_ASSERT("tcp_input: TIME-WAIT pcb->state == TIME-WAIT", pcb->state == TIME_WAIT);
       if (pcb->remote_port == tcphdr->src &&
@@ -306,12 +304,12 @@ tcp_input(struct pbuf *p, struct netif *inp)
     }
 
 
-    /* We deallocate the incoming pbuf. If it was buffered by the
+    /* give up our reference to inseg.p */
-       application, the application should have called pbuf_ref() to
+    if (inseg.p != NULL)
-       increase the reference counter in the pbuf. If so, the buffer
+    {
-       isn't actually deallocated by the call to pbuf_free(), only the
+      pbuf_free(inseg.p);
-       reference count is decreased. */
+      inseg.p = NULL;
-    if (inseg.p != NULL) pbuf_free(inseg.p);
+    }
 #if TCP_INPUT_DEBUG
 #if TCP_DEBUG
     tcp_debug_print_state(pcb->state);