Hi,
You can reproduce with ping -s 0 host (it crashes if the packet size
is less than 24).
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.123
diff -u -p -r1.123 ping.c
--- ping.c 2 May 2015 18:03:37 -0000 1.123
+++ ping.c 5 Aug 2015 08:40:22 -0000
@@ -803,7 +803,7 @@ pr_pack(char *buf, int cc, struct sockad
(void)printf(" (TRUNC!)");
cp = (u_char *)&icp->icmp_data[sizeof(struct payload)];
dp = &outpack[8 + sizeof(struct payload)];
- if (!(options & F_PINGFILLED)) {
+ if (!(options & F_PINGFILLED) && datalen >
sizeof(payload)) {
chacha_ivsetup(&fill_stream, payload.mac);
chacha_encrypt_bytes(&fill_stream, dp, dp,
datalen - sizeof(payload));
