A fairly rare possible buffer overflow:

Theo fixed this and tqbf reported it
Obtained from: OpenBSD

sbin/ping/ping.8

@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)ping.8	8.2 (Berkeley) 12/11/93
-.\"	$Id: ping.8,v 1.12 1997/07/18 17:52:03 wollman Exp $
+.\"	$Id: ping.8,v 1.13 1998/03/19 07:45:57 charnier Exp $
 .\"
 .Dd March 1, 1997
 .Dt PING 8
@@ -173,6 +173,9 @@ the
 .Xr traceroute 8
 command is usually better at determining the route packets take to a
 particular destination.
+If more routes come back than should, such as due to an illegal spoofed
+packet, ping will print the route list and then truncate it at the correct
+spot.
 Many hosts ignore or discard the
 .Tn RECORD_ROUTE
 option.

sbin/ping/ping.c

@@ -45,7 +45,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)ping.c	8.1 (Berkeley) 6/5/93";
 */
 static const char rcsid[] =
-	"$Id: ping.c,v 1.28 1997/08/11 04:33:07 fenner Exp $";
+	"$Id: ping.c,v 1.29 1997/12/24 00:59:02 imp Exp $";
 #endif /* not lint */
 
 /*
@@ -261,7 +261,6 @@ main(argc, argv)
 				errno = EPERM;
 				err(EX_NOPERM, "-l flag");
 			}
-			options |= F_FLOOD;
 			preload = ultmp;
 			break;
 		case 'L':
@@ -787,9 +786,14 @@ pr_pack(buf, cc, from)
 				cp += i;
 				break;
 			}
-			old_rrlen = i;
-			bcopy((char *)cp, old_rr, i);
+			if (i < MAXIPOPTLEN) {
+				old_rrlen = i;
+				bcopy((char *)cp, old_rr, i);
+			} else
+				old_rrlen = 0;
+
 			(void)printf("\nRR: ");
+			j = 0;
 			for (;;) {
 				l = *++cp;
 				l = (l<<8) + *++cp;
@@ -804,8 +808,13 @@ pr_pack(buf, cc, from)
 				}
 				hlen -= 4;
 				i -= 4;
+				j += 4;
 				if (i <= 0)
 					break;
+				if (j >= MAX_IPOPTLEN) {
+					(void) printf("\t(truncated route)");
+					break;
+				}
 				(void)putchar('\n');
 			}
 			break;