ASA-2019-00270 – FreeBSD: IPv6 fragment reassembly panic in pf(4)

A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected.