Relax overly-conservative TCP option parsing used by ipnat when

hunting for an MSS option to clamp.  The previous code assumed that at least
one more byte of options (such as a TCPOPT_EOL) would follow the MSS
option; now, we allow the MSS option to end on the last byte of the
TCP header.

Packets have been observed "in the wild" with a TCP header length of
'6' (24 bytes.. 20 bytes fixed header, 4 bytes options) with a 4-byte
MSS option exactly filling the 4 bytes of options payload and no
following TCPOPT_EOL.

RFC793 is quite explicit that the EOL byte:

	" .. need only be used if the end of the options would not
	otherwise coincide with the end of the TCP header."

sys/netinet/ip_nat.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_nat.c,v 1.53 2002/09/19 08:12:52 martti Exp $	*/
+/*	$NetBSD: ip_nat.c,v 1.54 2002/09/24 14:14:25 sommerfeld Exp $	*/
 
 /*
  * Copyright (C) 1995-2001 by Darren Reed.
@@ -112,7 +112,7 @@ extern struct ifnet vpnif;
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.53 2002/09/19 08:12:52 martti Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.54 2002/09/24 14:14:25 sommerfeld Exp $");
 #else
 static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";
 static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp";
@@ -1176,7 +1176,7 @@ tcp_mss_clamp(tcp, maxmss, fin, csump)
 			if (&cp[1] >= ep)
 				break;
 			advance = cp[1];
-			if (&cp[advance] >= ep)
+			if (&cp[advance] > ep)
 				break;
 			switch (opt) {
 			case TCPOPT_MAXSEG: