Hello,

The following block looks suspicious to me (from ip_input.c line 1698 of
revision 1.185):

	/*
	 * Save at most 68 bytes of the packet in case
	 * we need to generate an ICMP message to the src.
	 * Pullup to avoid sharing mbuf cluster between m and mcopy.
	 */
	mcopy = m_copym(m, 0, imin(ntohs(ip->ip_len), 68), M_DONTWAIT);
	if (mcopy)
		mcopy = m_pullup(mcopy, ip->ip_hl << 2);

Should the imin() be taking the length of the original mbuf data buffer as
an argument instead of the ip_len?  If ip_len is larger than the m->m_len,
then can't m_copym() fault?

This is similar code to a bug I just discovered that does exist in BSD/OS
4.1.

thanks,
-bp
--