in tcp_emu function has OOB bug

qemu version: 4.1.0 

```c
int tcp_emu(struct socket *so, struct mbuf *m){
............
case EMU_REALAUDIO:
............
    while (bptr < m->m_data + m->m_len) {
        case 6:
............
            lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
............               
            *(uint8_t *)bptr++ = (p >> 8) & 0xff;
            *(uint8_t *)bptr = p & 0xff;
............
    }
............
............
}
```

bptr)[1] and  bptr++ ,may make bptr ==  m->m_data + m->m_len,and cause OOB（out of bounds.）