Another memory management bug in the slirp code causes qemu to crash
while attempting to reassemble a fragmented IP packet. While iterating
through a list of buffers, if m_cat() moves the current buffer, the
pointer to the next buffer is read from an invalid location.

The attached patch simply reads the next buffer pointer before calling
m_cat(). Incidentally, this is also the fix adopted in the BSD
networking stack, from which slirp was originally derived.

--Ed