There's a buffer overflow in icmp_error() on bsd/netinet/ip_icmp.c on line 339. This function generates an error packet of type error in response to bad packet ip. The ICMP protocol is used to send the error message. It calls m_copydata() to copy the header of the bad packet into an ICMP message. It doesn't check if the header is too big for the destination buffer and then a heap buffer overflow might occur.
This alert addresses only two among several vulnerabilities fixed by Apple. The first one is in the macro nfsm_chain_get_fh() and the second is in the macro nfsm_chain_get_opaque(). The macro nfsm_chain_get_fh() doesn't take the length of the message into account and then copies its contents to a buffer dynamically allocated. The macro nfsm_chain_get_opaque() has an integer overflow. This macro calls nfsm_rndup() macro to round 'LEN' up to the next multiple of 4. This allows the result to be overflowed because it doesn't check against overflows.