pf tests: reproduce use-after-free in fragment reassembly

Produce an IPv6 packet that's longer than 65535 bytes so it'll get dropped in
pf_reassemble6(). This can then causes pf_normalize_ip6() to return an error,
which led pf_setup_pdesc() to fail to update *m0, eventually ending up with
pf_scrub() attempting to modify *m0 (now different from pd->m), a freed mbuf.

This does depend on pf_join_fragment()'s call to m_cat() freeing the relevant
mbuf rather than adding it to the chain. Accomplish this by ensuring there's
sufficient free space, by having dummymbuf re-allocate larger mbufs for our
fragments.

PR: 283705
Reported by: Yichen Chai <yichen.chai@gmail.com>, Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
Sponsored by: Rubicon Communications, LLC ("Netgate")