pf -- IP fragment handling panic

Problem description:
A logic bug in pf’s IP fragment cache may result in a packet
fragment being inserted twice, violating a kernel
invariant.
Impact:
By sending carefully crafted sequence of IP packet fragments,
a remote attacker can cause a system running pf with a ruleset
containing a ‘scrub fragment crop’ or ‘scrub fragment
drop-ovl’ rule to crash.
Workaround:
Do not use ‘scrub fragment crop’ or ‘scrub fragment drop-ovl’
rules on systems running pf. In most cases, such rules can be
replaced by ‘scrub fragment reassemble’ rules; see the
pf.conf(5) manual page for more details.
Systems which do not use pf, or use pf but do not use the
aforementioned rules, are not affected by this issue.