Add a comment clarifying control flow in process_packet()

The analysis of CVE-2016-4954 in my previous commit message was
incorrect; there are indeed (minor) security implications to that bug
because the tardily-performed sanity check covers more than I thought.