if the length from the IP header is larger than that of the mbuf, the 
packet is rejected by ip_input():

+++++++++++++++++++
	/* Retrieve the packet length. */
	len = ntohs(ip->ip_len);

	/*
	 * Check for additional length bogosity
	 */
	if (len < hlen) {
	 	ipstat.ips_badlen++;
		goto bad;
	}

	/*
	 * Check that the amount of data in the buffers
	 * is as at least much as the IP header would have us expect.
	 * Trim mbufs if longer than we expect.
	 * Drop packet if shorter than we expect.
	 */
	if (m->m_pkthdr.len < len) {
		ipstat.ips_tooshort++;
		goto bad;
	}
+++++++++++++++++++++++++++++++++++

Bryan P wrote:
> Hello,
> 
> The following block looks suspicious to me (from ip_input.c line 1698 of
> revision 1.185):
> 
> 	/*
> 	 * Save at most 68 bytes of the packet in case
> 	 * we need to generate an ICMP message to the src.
> 	 * Pullup to avoid sharing mbuf cluster between m and mcopy.
> 	 */
> 	mcopy = m_copym(m, 0, imin(ntohs(ip->ip_len), 68), M_DONTWAIT);
> 	if (mcopy)
> 		mcopy = m_pullup(mcopy, ip->ip_hl << 2);
> 
> Should the imin() be taking the length of the original mbuf data buffer as
> an argument instead of the ip_len?  If ip_len is larger than the m->m_len,
> then can't m_copym() fault?
> 
> This is similar code to a bug I just discovered that does exist in BSD/OS
> 4.1.
> 
> thanks,
> -bp
> --
> 
> 
>