From b5e8ab6c150e14f2418ba99d8ab91df2f3869d66 Mon Sep 17 00:00:00 2001
From: Erik Ekman <erik@kryo.se>
Date: Fri, 19 Jun 2020 15:00:25 +0200
Subject: [PATCH] tcp: Fix double free in tcp_split_unsent_seg()

Fixes bug #57377 (found by Hiromasa Ito).
---
 src/core/tcp_out.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/core/tcp_out.c b/src/core/tcp_out.c
index e5bbb52f..8149d394 100644
--- a/src/core/tcp_out.c
+++ b/src/core/tcp_out.c
@@ -913,6 +913,7 @@ tcp_split_unsent_seg(struct tcp_pcb *pcb, u16_t split)
 
   seg = tcp_create_segment(pcb, p, remainder_flags, lwip_ntohl(useg->tcphdr->seqno) + split, optflags);
   if (seg == NULL) {
+    p = NULL; /* Freed by tcp_create_segment */
     LWIP_DEBUGF(TCP_OUTPUT_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
                 ("tcp_split_unsent_seg: could not create new TCP segment\n"));
     goto memerr;