Index: /trunk/src/VBox/Devices/Network/slirp/socket.c
===================================================================
--- /trunk/src/VBox/Devices/Network/slirp/socket.c	(revision 38904)
+++ /trunk/src/VBox/Devices/Network/slirp/socket.c	(revision 38905)
@@ -1353,5 +1353,4 @@
     ICMP_ECHO_REPLY *icr;
     int hlen = 0;
-    int data_len = 0;
     int nbytes = 0;
     u_char code = ~0;
@@ -1371,4 +1370,6 @@
     for (i = 0; i < len; ++i)
     {
+        LogFunc(("icr[%d] Data:%p, DataSize:%d\n",
+                 i, icr[i].Data, icr[i].DataSize));
         switch(icr[i].Status)
         {
@@ -1401,14 +1402,16 @@
 
                 m = m_getjcl(pData, M_NOWAIT, MT_HEADER, M_PKTHDR, size);
+                LogFunc(("m_getjcl returns m: %p\n", m));
                 if (m == NULL)
                     return;
                 m->m_len = 0;
                 m->m_data += if_maxlinkhdr;
+                m->m_pkthdr.header = mtod(m, void *);
+
                 ip = mtod(m, struct ip *);
                 ip->ip_src.s_addr = icr[i].Address;
                 ip->ip_p = IPPROTO_ICMP;
                 ip->ip_dst.s_addr = so->so_laddr.s_addr; /*XXX: still the hack*/
-                data_len = sizeof(struct ip);
-                ip->ip_hl =  data_len >> 2; /* requiered for icmp_reflect, no IP options */
+                ip->ip_hl =  sizeof(struct ip) >> 2; /* requiered for icmp_reflect, no IP options */
                 ip->ip_ttl = icr[i].Options.Ttl;
 
@@ -1428,16 +1431,21 @@
                 }
 
-                data_len += ICMP_MINLEN;
 
                 hlen = (ip->ip_hl << 2);
-                m->m_pkthdr.header = mtod(m, void *);
-                m->m_len = data_len;
-
-                m_copyback(pData, m, hlen + 8, icr[i].DataSize, icr[i].Data);
-
-                data_len += icr[i].DataSize;
-
-                ip->ip_len = data_len;
-                m->m_len = ip->ip_len;
+                Assert((hlen >= sizeof(struct ip)));
+
+                m->m_data += hlen + ICMP_MINLEN;
+                if (!RT_VALID_PTR(icr[i].Data))
+                {
+                    m_freem(pData, m);
+                    break;
+                }
+                m_copyback(pData, m, 0, icr[i].DataSize, icr[i].Data);
+                m->m_data -= hlen + ICMP_MINLEN;
+                m->m_len += hlen + ICMP_MINLEN;
+
+
+                ip->ip_len = m_length(m, NULL);
+                Assert((ip->ip_len == hlen + ICMP_MINLEN + icr[i].DataSize));
 
                 icmp_reflect(pData, m);
@@ -1453,4 +1461,5 @@
                 m = icm->im_m;
                 ip = mtod(m, struct ip *);
+                Assert(((ip_broken->ip_hl >> 2) >= sizeof(struct ip)));
                 ip->ip_ttl = icr[i].Options.Ttl;
                 src = ip->ip_src.s_addr;
@@ -1461,7 +1470,6 @@
                 icp = (struct icmp *)((char *)ip + hlen);
                 ip_broken->ip_src.s_addr = src; /*it packet sent from host not from guest*/
-                data_len = (ip_broken->ip_hl << 2) + 64;
-
-                m->m_len = data_len;
+
+                m->m_len = (ip_broken->ip_hl << 2) + 64;
                 m->m_pkthdr.header = mtod(m, void *);
                 m_copyback(pData, m, ip->ip_hl >> 2, icr[i].DataSize, icr[i].Data);