assumes that it cannot be reached in the crossed SYN case.
This is wrong if the original SYNs came from a malicious packet
generator third party.  This can result in a 4 minute ACK
fight if the sequence numbers are correct.

The fix is the verify the ACK before we do anything else, which
should cover all cases.

This bug was discovered by Casper Dik.