ASA-2019-00271 – FreeBSD: ICMP/ICMP6 packet filter bypass in pf

pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable.

ASA-2018-00024 – Apple XNU: ICMP packet-handling vulnerability

There's a buffer overflow in icmp_error() on bsd/netinet/ip_icmp.c on line 339. This function generates an error packet of type error in response to bad packet ip. The ICMP protocol is used to send the error message. It calls m_copydata() to copy the header of the bad packet into an ICMP message. It doesn't check if the header is too big for the destination buffer and then a heap buffer overflow might occur.