Index: sys/netinet/ip_icmp.c
===================================================================
--- sys/netinet/ip_icmp.c
+++ sys/netinet/ip_icmp.c
@@ -309,7 +309,13 @@
 	if (icmplen < sizeof(struct ip))
 		goto freeit;
 
-	if (MHLEN > sizeof(struct ip) + ICMP_MINLEN + icmplen)
+	/*
+	 * XXX m_align may add up to sizeof(long) - 1 padding bytes.  This
+	 * logic does not belong here; this is a short-term fix for a buffer
+	 * underwrite.
+	 */
+	if (MHLEN > (sizeof(struct ip) + ICMP_MINLEN + icmplen +
+	    sizeof(long) - 1) & ~(sizeof(long) - 1))
 		m = m_gethdr(M_NOWAIT, MT_DATA);
 	else
 		m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
@@ -362,6 +368,7 @@
 	 * reply should bypass as well.
 	 */
 	m->m_flags |= n->m_flags & M_SKIP_FIREWALL;
+	KASSERT(m->m_data >= M_START(m) + sizeof(struct ip));
 	m->m_data -= sizeof(struct ip);
 	m->m_len += sizeof(struct ip);
 	m->m_pkthdr.len = m->m_len;