DF-0391
pf_fragcache: m_dup NULL dereferenced before NULL check in m_adj argument: remote DoS under memory pressure with fragcrop
Summary
pf_fragcache(:661-666) fragcrop overlap path: *m0=m_dup(m,M_NOWAIT) can return NULL under memory pressure. Argument expression at :663-664 m_adj(*m0,(h->ip_hl<<2)-(*m0)->m_pkthdr.len) dereferences *m0 BEFORE NULL check at :665. Comment "From KAME Project: We have missed this!" acknowledges the issue but the check is still AFTER the deref. Trigger: pf scrub with PFRULE_FRAGCROP + overlapping fragment + memory pressure (fragment flood uses M_NOWAIT). Remote unauthenticated kernel panic. Requires non-default fragcrop config.