Use m_catpkt(9) to avoid a possible use-after-free in ieee80211_defrag().

m is not guaranteed to be valid after m_cat() returns. The effects of this
are most noticeable when INVARIANTS is enabled, since m's header length
field is given a value of 0xdeadc0de by the trash dtor.

Reviewed by:	glebius
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D5497

sys/net80211/ieee80211_input.c

@@ -249,9 +249,7 @@ ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace)
 		mfrag = m;
 	} else {				/* concatenate */
 		m_adj(m, hdrspace);		/* strip header */
-		m_cat(mfrag, m);
-		/* NB: m_cat doesn't update the packet header */
-		mfrag->m_pkthdr.len += m->m_pkthdr.len;
+		m_catpkt(mfrag, m);
 		/* track last seqnum and fragno */
 		lwh = mtod(mfrag, struct ieee80211_frame *);
 		*(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;