In some email I received from itojun@iijlab.net, sie wrote:
> 
> >> >> ip_fil.c:send_reset()
> >> >> 	packet size may possibly overrun mbuf, on certain operating systems
> >> >> 	(like MSIZE == 128 and sizeof(void *) == 8).
> >> >huh ?
> >> >In send_reset(), it is ONLY IPv6 + TCP.
> >> >You're telling me that'll overflow 128 bytes ?!
> >> >Likewise, I don't see anything that does anything with "sizeof(void *)"/
> >> 
> >> 	MHLEN = MSIZE - sizeof(a couple of pointers and integers).
> >> 	TCP header (including option part) can take up to 64 bytes.
> >> 	IPv6 header occupies 40 bytes.
> >> 	if 40 + 64 > MHLEN, you are dead.
> >TCP RST's are generated without TCP options and have 20 byte headers.
> 
> 	if I were you I would put
> 		#ifdef DIAGNOSTIC
> 			if (MHLEN > 20 + 64)
> 				panic("foo");
> 		#endif

Why is that 20 + 64 ?  Isn't an IPv6 header 40 bytes long, not 64 ?
4 + 2 + 1 + 1 + 2 * 16 = 40

Should I also include:

  		#ifdef DIAGNOSTIC
  			if (MHLEN > 20 + 20)
  				panic("foo");
  		#endif

For the plain IPv4 case ?

I mean if we can't get a basic TCP + IPv* header into a single MBUF we're
in a seriously screwed position and we'll be up the creek in so many ways.

Darren