icmp_error allocates either an mbuf w/ pkthdr or a cluster depending on the size of data to be quoted, but the calculation failed to account for additional padding that may be added by m_align.
Repeat the alignment logic inline where the mbuf / cluster decision is made as an immediate fix for the buffer underwrite. This will be revisited shortly.
Also add an assertion that we will not move m_data before the beginning of the mbuf or cluster.
Report in https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/
Reported by: a reddit user