There's a buffer overflow in icmp_error() on bsd/netinet/ip_icmp.c on line 339. This function generates an error packet of type error in response to bad packet ip. The ICMP protocol is used to send the error message. It calls m_copydata() to copy the header of the bad packet into an ICMP message. It doesn't check if the header is too big for the destination buffer and then a heap buffer overflow might occur.