The TCP reassembly code in NetBSD was enhanced some time ago to
coalesce mbufs in the reassembly queue as out-of-order TCP segments
arrive.  This greatly reduces the potential number of mbufs a TCP
reassembly queue can use, because the length of the queue is also
limited to the size of the TCP receive window.

Additionally, mbufs in a partially-reassembled queue can be drained
and reused in resource-shortage conditions; since the out-of-order TCP
data has not been acknowledged, dropping these segments has the same
effect as if the packets had been dropped in the network, and they
will eventually be retransmitted by a legitimate remote TCP.

Together, these two points mean that this resource-exhaustion attack
is not feasible against a NetBSD host. This was confirmed using test
code supplied by Markus Friedl.

More on : www.netbsd.org/Security/