Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v
retrieving revision 1.30
retrieving revision 1.30.4.2
diff -u -p -r1.30 -r1.30.4.2
--- src/sys/netinet/ip_input.c	1996/03/16 23:53:58	1.30
+++ src/sys/netinet/ip_input.c	1996/12/11 01:56:56	1.30.4.2
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.30.4.2 1996/12/11 01:56:56 mycroft Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -345,7 +345,7 @@ ours:
 	 * if the packet was previously fragmented,
 	 * but it's not worth the time; just let them time out.)
 	 */
-	if (ip->ip_off &~ IP_DF) {
+	if (ip->ip_off & ~(IP_DF|IP_RF)) {
 		if (m->m_flags & M_EXT) {		/* XXX */
 			if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
 				ipstat.ips_toosmall++;
@@ -531,10 +531,16 @@ insert:
 		return (0);
 
 	/*
-	 * Reassembly is complete; concatenate fragments.
+	 * Reassembly is complete.  Check for a bogus message size and
+	 * concatenate fragments.
 	 */
 	q = fp->ipq_fragq.lh_first;
 	ip = q->ipqe_ip;
+	if ((next + (ip->ip_hl << 2)) > IP_MAXPACKET) {
+		ipstat.ips_toolong++;
+		ip_freef(fp);
+		return (0);
+	}
 	m = dtom(q->ipqe_ip);
 	t = m->m_next;
 	m->m_next = 0;