This is a backport of upstream changes to fix the FragmentSmack (CVE- 2018-5391) vulnerability.
Peter Oskolkov checked an earlier version of this backport, but I have since rebased and added another 3 commits to it. I tested with the ip_defrag.sh self-test that he added upstream, and it passed. I have included the fix that is currently queued for the 4.9, 4.14 and 4.19 branches.
Ben.