I found this problem while porting a security patch to my uboot. I've created a PoC exploit which can hang uboot during ping command (even with commit b85d130ea0cac152c21ec38ac9417b31d41b5552). In my case changing:
if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE) to: if (ntohs(ip->ip_len) < IP_MIN_FRAG_DATAGRAM_SIZE) solved the problem. But now I can see it's a bigger issue. Tomorrow I will check these patches with my exploit.