> 	from my experience, it is bad practice to omit this kind of checks.
> 	it will bite us in the future.  for example, substantial portion of
> 	KAME work was to remove assumptions on mbuf size boundary (which
> 	became false due to like increased struct size), or adding proper
> 	checks/MCLGET calls.

The assumption which are made for optimization can cause the problem
in the future.  I agree with you we should try to remove such assumptions
in general, and should consider slow path alternative if such assumtion is
necessary to improve performance.  Of course, this doesn't mean we should
put diagnostics code everywhere.

In this case, if you think the counter never reach the max signed int,
the wrap-around check should go #ifdef DIAGNOSTICS.  Otherwise, unsigned
int seems to be better.

I'm just curious why you use int instead of unsigned as a counter.

Atsushi Onoe